On 07/04/2009 08:48 AM, Vadym Chepkov wrote:
I really get used to running my scripts unconfined, how I can accomplish it in this scenario?
Sincerely yours, Vadym Chepkov
--- On Sat, 7/4/09, Dominick Griftdomg472@gmail.com wrote:
From: Dominick Griftdomg472@gmail.com Subject: Re: Domain transition missing To: "Vadym Chepkov"chepkov@yahoo.com Cc: "Fedora SELinux"fedora-selinux-list@redhat.com Date: Saturday, July 4, 2009, 8:41 AM On Sat, 2009-07-04 at 14:38 +0200, Dominick Grift wrote:
On Sat, 2009-07-04 at 05:11 -0700, Vadym Chepkov
wrote:
Hi,
Last night I got a nasty surprise from selinux. I
am using winbind for external authentication and since it has history of failures I have a simple watchdog implemented to check the status and restart it if necessary. That is what happened last night and as a law abiding selinux citizen I used 'service winbind restart', but it seems the proper domain transitions is missing and winbind was started in system_cronjob_t domain instead of winbind_t and none of other domains could connect to it.
I think jobs running from cron should be granted
the same transition rules as from unconfined_t.
I will file bugzilla report about it, but could
somebody help me with modifying my local policy until/if it gets implemented, please? Thank you.
Sincerely yours, Vadym Chepkov
A domain transition would be:
policy_module(mywinbind, 0.0.1)
require { type system_cronjob_t, winbind_exec_t,
winbind_t; }
domain_auto_trans(system_cronjob_t, winbind_exec_t,
winbind_t)
Can you show us the full raw avc denial?
But personally would deal with this in a different way. I would write policy for the script that restarts winbind and then i would create a domain transition for the domain in which the script runs to winbind_t.
Mainly because i wouldnt want to extend/modify system_cronjob_t
So: system_cronjob_t -> myscript_exec_t -> myscript_t -> winbind_exec_t -> winbind_t
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
It looks like standard SELinux policy should have allowed
system_cronjob_t to transition to initrc_t when executing an initrc script. How is the windbind script labeled?
ls -lZ /etc/init.d/winbind -rwxr-xr-x. root root system_u:object_r:samba_initrc_exec_t:s0 /etc/init.d/winbind