That would be unfortunate. Mine approach is not uncommon. If you look closely you will see the same technique in wast scripts. spamassassin restarts itself when it updates anti-spam rules, clamav does that (antivirus) and on and on. I use Fedora 11, by the way.
For now, instead of creating a new policy I just added 'runcon -t unconfind_t ' in the cron, and it seemed to did the trick.
Sincerely yours,
Vadym Chepkov
--- On Sat, 7/4/09, Dominick Grift <domg472@xxxxxxxxx> wrote:
> From: Dominick Grift <domg472@xxxxxxxxx>
> Subject: Re: Domain transition missing
> To: "Vadym Chepkov" <chepkov@xxxxxxxxx>
> Cc: "Fedora SELinux" <fedora-selinux-list@xxxxxxxxxx>
> Date: Saturday, July 4, 2009, 8:57 AM
> On Sat, 2009-07-04 at 05:48 -0700,
> Vadym Chepkov wrote:
> > I really get used to running my scripts unconfined,
> how I can accomplish it in this scenario?
> >
> > Sincerely yours,
> > Vadym Chepkov
> >
>
> if you want the system to run jobs you will need to write
> some policy or
> extend the system_cronjob_t domain i think
>
>
> Were those the only avc denial you got? I would expect more
> denials.
>
> > --- On Sat, 7/4/09, Dominick Grift <domg472@xxxxxxxxx>
> wrote:
> >
> > > From: Dominick Grift <domg472@xxxxxxxxx>
> > > Subject: Re: Domain transition missing
> > > To: "Vadym Chepkov" <chepkov@xxxxxxxxx>
> > > Cc: "Fedora SELinux" <fedora-selinux-list@xxxxxxxxxx>
> > > Date: Saturday, July 4, 2009, 8:41 AM
> > > On Sat, 2009-07-04 at 14:38 +0200,
> > > Dominick Grift wrote:
> > > > On Sat, 2009-07-04 at 05:11 -0700, Vadym
> Chepkov
> > > wrote:
> > > > > Hi,
> > > > >
> > > > > Last night I got a nasty surprise from
> selinux. I
> > > am using winbind for external authentication and
> since it
> > > has history of failures I have a simple watchdog
> implemented
> > > to check the status and restart it if necessary.
> That
> > > is what happened last night and as a law
> abiding
> > > selinux citizen I used 'service winbind restart',
> but it
> > > seems the proper domain transitions is missing
> and winbind
> > > was started in system_cronjob_t domain instead of
> winbind_t
> > > and none of other domains could connect to it.
> > > > >
> > > > > I think jobs running from cron should
> be granted
> > > the same transition rules as from
> unconfined_t.
> > > > >
> > > > > I will file bugzilla report about it,
> but could
> > > somebody help me with modifying my local policy
> until/if it
> > > gets implemented, please? Thank you.
> > > > >
> > > > > Sincerely yours,
> > > > > Vadym Chepkov
> > > >
> > > > A domain transition would be:
> > > >
> > > > policy_module(mywinbind, 0.0.1)
> > > >
> > > > require { type system_cronjob_t,
> winbind_exec_t,
> > > winbind_t; }
> > > > domain_auto_trans(system_cronjob_t,
> winbind_exec_t,
> > > winbind_t)
> > > >
> > > > Can you show us the full raw avc denial?
> > >
> > >
> > > But personally would deal with this in a
> different way. I
> > > would write
> > > policy for the script that restarts winbind and
> then i
> > > would create a
> > > domain transition for the domain in which the
> script runs
> > > to winbind_t.
> > >
> > > Mainly because i wouldnt want to extend/modify
> > > system_cronjob_t
> > >
> > > So: system_cronjob_t -> myscript_exec_t ->
> myscript_t
> > > -> winbind_exec_t
> > > -> winbind_t
> > >
> > > > > --
> > > > > fedora-selinux-list mailing list
> > > > > fedora-selinux-list@xxxxxxxxxx
> > > > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> > > >
> > >
> > >
>
>
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
