That would be unfortunate. Mine approach is not uncommon. If you look closely you will see the same technique in wast scripts. spamassassin restarts itself when it updates anti-spam rules, clamav does that (antivirus) and on and on. I use Fedora 11, by the way.
For now, instead of creating a new policy I just added 'runcon -t unconfind_t ' in the cron, and it seemed to did the trick.
Sincerely yours, Vadym Chepkov
--- On Sat, 7/4/09, Dominick Grift domg472@gmail.com wrote:
From: Dominick Grift domg472@gmail.com Subject: Re: Domain transition missing To: "Vadym Chepkov" chepkov@yahoo.com Cc: "Fedora SELinux" fedora-selinux-list@redhat.com Date: Saturday, July 4, 2009, 8:57 AM On Sat, 2009-07-04 at 05:48 -0700, Vadym Chepkov wrote:
I really get used to running my scripts unconfined,
how I can accomplish it in this scenario?
Sincerely yours, Vadym Chepkov
if you want the system to run jobs you will need to write some policy or extend the system_cronjob_t domain i think
Were those the only avc denial you got? I would expect more denials.
--- On Sat, 7/4/09, Dominick Grift domg472@gmail.com
wrote:
From: Dominick Grift domg472@gmail.com Subject: Re: Domain transition missing To: "Vadym Chepkov" chepkov@yahoo.com Cc: "Fedora SELinux" fedora-selinux-list@redhat.com Date: Saturday, July 4, 2009, 8:41 AM On Sat, 2009-07-04 at 14:38 +0200, Dominick Grift wrote:
On Sat, 2009-07-04 at 05:11 -0700, Vadym
Chepkov
wrote:
Hi,
Last night I got a nasty surprise from
selinux. I
am using winbind for external authentication and
since it
has history of failures I have a simple watchdog
implemented
to check the status and restart it if necessary.
That
is what happened last night and as a law
abiding
selinux citizen I used 'service winbind restart',
but it
seems the proper domain transitions is missing
and winbind
was started in system_cronjob_t domain instead of
winbind_t
and none of other domains could connect to it.
I think jobs running from cron should
be granted
the same transition rules as from
unconfined_t.
I will file bugzilla report about it,
but could
somebody help me with modifying my local policy
until/if it
gets implemented, please? Thank you.
Sincerely yours, Vadym Chepkov
A domain transition would be:
policy_module(mywinbind, 0.0.1)
require { type system_cronjob_t,
winbind_exec_t,
winbind_t; }
domain_auto_trans(system_cronjob_t,
winbind_exec_t,
winbind_t)
Can you show us the full raw avc denial?
But personally would deal with this in a
different way. I
would write policy for the script that restarts winbind and
then i
would create a domain transition for the domain in which the
script runs
to winbind_t.
Mainly because i wouldnt want to extend/modify system_cronjob_t
So: system_cronjob_t -> myscript_exec_t ->
myscript_t
-> winbind_exec_t -> winbind_t
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
On Sat, 2009-07-04 at 06:18 -0700, Vadym Chepkov wrote:
That would be unfortunate. Mine approach is not uncommon. If you look closely you will see the same technique in wast scripts. spamassassin restarts itself when it updates anti-spam rules, clamav does that (antivirus) and on and on. I use Fedora 11, by the way.
For now, instead of creating a new policy I just added 'runcon -t unconfind_t ' in the cron, and it seemed to did the trick.
Sincerely yours, Vadym Chepkov
Looking here: http://oss.tresys.com/projects/refpolicy/browser/trunk/policy/modules/servic... line 235 to line 269.
That seems like a interface one might use in your situation:
cron_system_entry(winbind_t, winbind_exec_t)
I admit that using cron with SELinux is not very easy currently
--- On Sat, 7/4/09, Dominick Grift domg472@gmail.com wrote:
From: Dominick Grift domg472@gmail.com Subject: Re: Domain transition missing To: "Vadym Chepkov" chepkov@yahoo.com Cc: "Fedora SELinux" fedora-selinux-list@redhat.com Date: Saturday, July 4, 2009, 8:57 AM On Sat, 2009-07-04 at 05:48 -0700, Vadym Chepkov wrote:
I really get used to running my scripts unconfined,
how I can accomplish it in this scenario?
Sincerely yours, Vadym Chepkov
if you want the system to run jobs you will need to write some policy or extend the system_cronjob_t domain i think
Were those the only avc denial you got? I would expect more denials.
--- On Sat, 7/4/09, Dominick Grift domg472@gmail.com
wrote:
From: Dominick Grift domg472@gmail.com Subject: Re: Domain transition missing To: "Vadym Chepkov" chepkov@yahoo.com Cc: "Fedora SELinux" fedora-selinux-list@redhat.com Date: Saturday, July 4, 2009, 8:41 AM On Sat, 2009-07-04 at 14:38 +0200, Dominick Grift wrote:
On Sat, 2009-07-04 at 05:11 -0700, Vadym
Chepkov
wrote:
Hi,
Last night I got a nasty surprise from
selinux. I
am using winbind for external authentication and
since it
has history of failures I have a simple watchdog
implemented
to check the status and restart it if necessary.
That
is what happened last night and as a law
abiding
selinux citizen I used 'service winbind restart',
but it
seems the proper domain transitions is missing
and winbind
was started in system_cronjob_t domain instead of
winbind_t
and none of other domains could connect to it.
I think jobs running from cron should
be granted
the same transition rules as from
unconfined_t.
I will file bugzilla report about it,
but could
somebody help me with modifying my local policy
until/if it
gets implemented, please? Thank you.
Sincerely yours, Vadym Chepkov
A domain transition would be:
policy_module(mywinbind, 0.0.1)
require { type system_cronjob_t,
winbind_exec_t,
winbind_t; }
domain_auto_trans(system_cronjob_t,
winbind_exec_t,
winbind_t)
Can you show us the full raw avc denial?
But personally would deal with this in a
different way. I
would write policy for the script that restarts winbind and
then i
would create a domain transition for the domain in which the
script runs
to winbind_t.
Mainly because i wouldnt want to extend/modify system_cronjob_t
So: system_cronjob_t -> myscript_exec_t ->
myscript_t
-> winbind_exec_t -> winbind_t
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
selinux@lists.fedoraproject.org