add a transition rule

Vadym Chepkov chepkov at yahoo.com
Sun Jul 19 13:33:51 UTC 2009 

I created httpd_svn_script_t for this exact purpose, I don't think another one is required.

sendmail_domtrans(httpd_svn_script_t) is the rule then?
Thank you, I will try it.

Sincerely yours,
  Vadym Chepkov


--- On Sun, 7/19/09, Dominick Grift <domg472 at gmail.com> wrote:

> From: Dominick Grift <domg472 at gmail.com>
> Subject: Re: add a transition rule
> To: "Vadym Chepkov" <chepkov at yahoo.com>
> Cc: "Fedora SELinux" <fedora-selinux-list at redhat.com>
> Date: Sunday, July 19, 2009, 7:06 AM
> On Sat, 2009-07-18 at 20:35 -0700,
> Vadym Chepkov wrote:
> > Hi,
> > 
> > I have a script, executed by apache, which is running
> in httpd_svn_script_t domain. This script calls
> svn-mailer(bin_t) which in turns calls
> /usr/sbin/sendmail.sendmail(sendmail_exec_t) and since there
> is no transition defined, sendmail still runs in
> httpd_svn_script_t and I get humongous amount of avc's. What
> would be the proper rule to add to the local policy to make
> sendmail running in the proper domain, sendmail_t? 
> > And for that matter if httpd_can_sendmail --> on,
> shouldn't it be happening automatically? Thank you. 
> Not sure about all this (sesearch and review of source
> policy might
> reveal the answer). I am not in my usual location so i
> cannot verify at
> the moment, however my personal opinion is that you might
> as well write
> some policy yourself to make this happen. Those httpd
> booleans are
> generally coarse grained.
> 
> If you write a policy for your script and do a transition
> from
> httpd_svn_script_t to myscript_t and than allow myscript_t
> to transition
> to the mail domain (probably something like
> sendmail_domtrans(myscript_t)). That way you do not pollute
> your
> httpd_svn_script_t domain too much with access vectors that
> are really
> meant for your script and not svn.
> 
> > Sincerely yours,
> >   Vadym Chepkov
> > 
> > --
> > fedora-selinux-list mailing list
> > fedora-selinux-list at redhat.com
> > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> 
>

More information about the fedora-selinux-list mailing list