add a transition rule

Daniel J Walsh dwalsh at redhat.com
Thu Jul 23 18:00:57 UTC 2009 

On 07/19/2009 09:33 AM, Vadym Chepkov wrote:
> I created httpd_svn_script_t for this exact purpose, I don't think another one is required.
> 
> sendmail_domtrans(httpd_svn_script_t) is the rule then?
> Thank you, I will try it.
> 
> Sincerely yours,
>   Vadym Chepkov
> 
> 
> --- On Sun, 7/19/09, Dominick Grift <domg472 at gmail.com> wrote:
> 
>> From: Dominick Grift <domg472 at gmail.com>
>> Subject: Re: add a transition rule
>> To: "Vadym Chepkov" <chepkov at yahoo.com>
>> Cc: "Fedora SELinux" <fedora-selinux-list at redhat.com>
>> Date: Sunday, July 19, 2009, 7:06 AM
>> On Sat, 2009-07-18 at 20:35 -0700,
>> Vadym Chepkov wrote:
>>> Hi,
>>>
>>> I have a script, executed by apache, which is running
>> in httpd_svn_script_t domain. This script calls
>> svn-mailer(bin_t) which in turns calls
>> /usr/sbin/sendmail.sendmail(sendmail_exec_t) and since there
>> is no transition defined, sendmail still runs in
>> httpd_svn_script_t and I get humongous amount of avc's. What
>> would be the proper rule to add to the local policy to make
>> sendmail running in the proper domain, sendmail_t? 
>>> And for that matter if httpd_can_sendmail --> on,
>> shouldn't it be happening automatically? Thank you. 
>> Not sure about all this (sesearch and review of source
>> policy might
>> reveal the answer). I am not in my usual location so i
>> cannot verify at
>> the moment, however my personal opinion is that you might
>> as well write
>> some policy yourself to make this happen. Those httpd
>> booleans are
>> generally coarse grained.
>>
>> If you write a policy for your script and do a transition
>> from
>> httpd_svn_script_t to myscript_t and than allow myscript_t
>> to transition
>> to the mail domain (probably something like
>> sendmail_domtrans(myscript_t)). That way you do not pollute
>> your
>> httpd_svn_script_t domain too much with access vectors that
>> are really
>> meant for your script and not svn.
>>
>>> Sincerely yours,
>>>    Vadym Chepkov
>>>
>>> --
>>> fedora-selinux-list mailing list
>>> fedora-selinux-list at redhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
mta_send_mail is probably better, since it will cover all possible mailers, not just sendmail

More information about the fedora-selinux-list mailing list