-----Original Message----- From: fedora-selinux-list-bounces@redhat.com [mailto:fedora-selinux-list-bounces@redhat.com] On Behalf Of Forrest Taylor Sent: Saturday, March 10, 2007 11:56 AM To: fedora-selinux-list@redhat.com Subject: Making a python/shell script run in httpd_t (or some other domain)
I am trying to make a python script run in the httpd_t domain on RHEL5 RC4. I have assigned the script the httpd_exec_t type. I searched the archives, and I saw an earlier post that stated that I should use the -E option to python:
#!/usr/bin/python -E
I see the same entry in python scripts like setroubleshootd. However, when I try to run my script (or setroubleshootd, for that matter) directly, it runs in unconfined_t. I have the same problem with shell executables. Any tips?
You need to make sure you have all the rules required for your source domain to transition to your target domain. The unconfined_t domain generally does not transition; it is designed to run most things in its domain which has a wide range of permissions (hence the name "unconfined").
You need these three rules to permit a transition: allow source_domain target_domain:process transition; allow source_domain entrypoint_type:file {read getattr execute}; allow target_domain entrypoint_type:file entrypoint;
If you want the transition to be automatic, you also need a type_transition rule: type_transition source_domain entrypoint_type:process target_domain;
You can use apol's domain transition analysis to test your policy to make sure you have all the necessary rules. There is also a good explanation of domain transitions in the Help menu. (Or Chapter 5 of _Selinux by Example_ :))
You also probably don't want to run your script in httpd_t, but in a more restricted domain.
run_init will run as expected, but it does also ask for the root password. I know that I could change the pam.d/ entry, but I don't want to do that at this point.
I created an init script that simply calls the executable. This works as expected, as long as the script starts with the interpreter (e.g., #!/bin/bash). If I leave out that line, it does not transition. Any idea why?
Thanks,
Forrest