On Sat, 2009-07-04 at 05:11 -0700, Vadym Chepkov wrote:
> Hi,
>
> Last night I got a nasty surprise from selinux. I am using winbind for external authentication and since it has history of failures I have a simple watchdog implemented to check the status and restart it if necessary. That is what happened last night and as a law abiding selinux citizen I used 'service winbind restart', but it seems the proper domain transitions is missing and winbind was started in system_cronjob_t domain instead of winbind_t and none of other domains could connect to it.
>
> I think jobs running from cron should be granted the same transition rules as from unconfined_t.
>
> I will file bugzilla report about it, but could somebody help me with modifying my local policy until/if it gets implemented, please? Thank you.
>
> Sincerely yours,
> Vadym Chepkov
A domain transition would be:
policy_module(mywinbind, 0.0.1)
require { type system_cronjob_t, winbind_exec_t, winbind_t; }
domain_auto_trans(system_cronjob_t, winbind_exec_t, winbind_t)
Can you show us the full raw avc denial?
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
