On Sat, 2009-07-04 at 14:38 +0200, Dominick Grift wrote:
> On Sat, 2009-07-04 at 05:11 -0700, Vadym Chepkov wrote:
> > Hi,
> >
> > Last night I got a nasty surprise from selinux. I am using winbind for external authentication and since it has history of failures I have a simple watchdog implemented to check the status and restart it if necessary. That is what happened last night and as a law abiding selinux citizen I used 'service winbind restart', but it seems the proper domain transitions is missing and winbind was started in system_cronjob_t domain instead of winbind_t and none of other domains could connect to it.
> >
> > I think jobs running from cron should be granted the same transition rules as from unconfined_t.
> >
> > I will file bugzilla report about it, but could somebody help me with modifying my local policy until/if it gets implemented, please? Thank you.
> >
> > Sincerely yours,
> > Vadym Chepkov
>
> A domain transition would be:
>
> policy_module(mywinbind, 0.0.1)
>
> require { type system_cronjob_t, winbind_exec_t, winbind_t; }
> domain_auto_trans(system_cronjob_t, winbind_exec_t, winbind_t)
>
> Can you show us the full raw avc denial?
But personally would deal with this in a different way. I would write
policy for the script that restarts winbind and then i would create a
domain transition for the domain in which the script runs to winbind_t.
Mainly because i wouldnt want to extend/modify system_cronjob_t
So: system_cronjob_t -> myscript_exec_t -> myscript_t -> winbind_exec_t
-> winbind_t
> > --
> > fedora-selinux-list mailing list
> > fedora-selinux-list@xxxxxxxxxx
> > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
