> -----Original Message----- > From: fedora-selinux-list-bounces@xxxxxxxxxx > [mailto:fedora-selinux-list-bounces@xxxxxxxxxx] On Behalf Of > Forrest Taylor > Sent: Saturday, March 10, 2007 11:56 AM > To: fedora-selinux-list@xxxxxxxxxx > Subject: Making a python/shell script run in httpd_t (or some > other domain) > > I am trying to make a python script run in the httpd_t domain > on RHEL5 RC4. I have assigned the script the httpd_exec_t > type. I searched the archives, and I saw an earlier post > that stated that I should use the -E option to python: > > #!/usr/bin/python -E > > I see the same entry in python scripts like setroubleshootd. > However, when I try to run my script (or setroubleshootd, for > that matter) directly, it runs in unconfined_t. I have the > same problem with shell executables. Any tips? > You need to make sure you have all the rules required for your source domain to transition to your target domain. The unconfined_t domain generally does not transition; it is designed to run most things in its domain which has a wide range of permissions (hence the name "unconfined"). You need these three rules to permit a transition: allow source_domain target_domain:process transition; allow source_domain entrypoint_type:file {read getattr execute}; allow target_domain entrypoint_type:file entrypoint; If you want the transition to be automatic, you also need a type_transition rule: type_transition source_domain entrypoint_type:process target_domain; You can use apol's domain transition analysis to test your policy to make sure you have all the necessary rules. There is also a good explanation of domain transitions in the Help menu. (Or Chapter 5 of _Selinux by Example_ :)) You also probably don't want to run your script in httpd_t, but in a more restricted domain. > run_init will run as expected, but it does also ask for the > root password. I know that I could change the pam.d/ entry, > but I don't want to do that at this point. > > I created an init script that simply calls the executable. > This works as expected, as long as the script starts with the > interpreter (e.g., #!/bin/bash). If I leave out that line, > it does not transition. Any idea why? > > Thanks, > > Forrest > -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
