This worked well too, thank you
system_u:system_r:winbind_t:SystemLow root 11926 1 0 09:57 ? 00:00:00 winbindd system_u:system_r:winbind_t:SystemLow root 11928 11926 0 09:57 ? 00:00:00 winbindd system_u:system_r:winbind_t:SystemLow root 11954 11926 0 09:57 ? 00:00:00 winbindd system_u:system_r:winbind_t:SystemLow root 11956 11926 0 09:57 ? 00:00:00 winbindd system_u:system_r:winbind_t:SystemLow root 11957 11926 0 09:57 ? 00:00:00 winbindd
Sincerely yours, Vadym Chepkov
--- On Sat, 7/4/09, Dominick Grift domg472@gmail.com wrote:
From: Dominick Grift domg472@gmail.com Subject: Re: Domain transition missing To: "Vadym Chepkov" chepkov@yahoo.com Cc: "Fedora SELinux" fedora-selinux-list@redhat.com Date: Saturday, July 4, 2009, 9:28 AM On Sat, 2009-07-04 at 06:18 -0700, Vadym Chepkov wrote:
That would be unfortunate. Mine approach is not
uncommon. If you look closely you will see the same technique in wast scripts. spamassassin restarts itself when it updates anti-spam rules, clamav does that (antivirus) and on and on. I use Fedora 11, by the way.
For now, instead of creating a new policy I just added
'runcon -t unconfind_t ' in the cron, and it seemed to did the trick.
Sincerely yours, Vadym Chepkov
Looking here: http://oss.tresys.com/projects/refpolicy/browser/trunk/policy/modules/servic... line 235 to line 269.
That seems like a interface one might use in your situation:
cron_system_entry(winbind_t, winbind_exec_t)
I admit that using cron with SELinux is not very easy currently
--- On Sat, 7/4/09, Dominick Grift domg472@gmail.com
wrote:
From: Dominick Grift domg472@gmail.com Subject: Re: Domain transition missing To: "Vadym Chepkov" chepkov@yahoo.com Cc: "Fedora SELinux" fedora-selinux-list@redhat.com Date: Saturday, July 4, 2009, 8:57 AM On Sat, 2009-07-04 at 05:48 -0700, Vadym Chepkov wrote:
I really get used to running my scripts
unconfined,
how I can accomplish it in this scenario?
Sincerely yours, Vadym Chepkov
if you want the system to run jobs you will need
to write
some policy or extend the system_cronjob_t domain i think
Were those the only avc denial you got? I would
expect more
denials.
--- On Sat, 7/4/09, Dominick Grift domg472@gmail.com
wrote:
From: Dominick Grift domg472@gmail.com Subject: Re: Domain transition missing To: "Vadym Chepkov" chepkov@yahoo.com Cc: "Fedora SELinux" fedora-selinux-list@redhat.com Date: Saturday, July 4, 2009, 8:41 AM On Sat, 2009-07-04 at 14:38 +0200, Dominick Grift wrote:
On Sat, 2009-07-04 at 05:11 -0700,
Vadym
Chepkov
wrote:
> Hi, > > Last night I got a nasty
surprise from
selinux. I
am using winbind for external
authentication and
since it
has history of failures I have a simple
watchdog
implemented
to check the status and restart it if
necessary.
That
is what happened last night and
as a law
abiding
selinux citizen I used 'service winbind
restart',
but it
seems the proper domain transitions is
missing
and winbind
was started in system_cronjob_t domain
instead of
winbind_t
and none of other domains could connect
to it.
> > I think jobs running from
cron should
be granted
the same transition rules as
from
unconfined_t.
> > I will file bugzilla report
about it,
but could
somebody help me with modifying my
local policy
until/if it
gets implemented, please? Thank you.
> > Sincerely yours, > Vadym
Chepkov
A domain transition would be:
policy_module(mywinbind, 0.0.1)
require { type system_cronjob_t,
winbind_exec_t,
winbind_t; }
domain_auto_trans(system_cronjob_t,
winbind_exec_t,
winbind_t)
Can you show us the full raw avc
denial?
But personally would deal with this in
a
different way. I
would write policy for the script that restarts
winbind and
then i
would create a domain transition for the domain in
which the
script runs
to winbind_t.
Mainly because i wouldnt want to
extend/modify
system_cronjob_t
So: system_cronjob_t ->
myscript_exec_t ->
myscript_t
-> winbind_exec_t -> winbind_t
> -- > fedora-selinux-list mailing
list
> fedora-selinux-list@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list