This worked well too, thank you system_u:system_r:winbind_t:SystemLow root 11926 1 0 09:57 ? 00:00:00 winbindd system_u:system_r:winbind_t:SystemLow root 11928 11926 0 09:57 ? 00:00:00 winbindd system_u:system_r:winbind_t:SystemLow root 11954 11926 0 09:57 ? 00:00:00 winbindd system_u:system_r:winbind_t:SystemLow root 11956 11926 0 09:57 ? 00:00:00 winbindd system_u:system_r:winbind_t:SystemLow root 11957 11926 0 09:57 ? 00:00:00 winbindd Sincerely yours, Vadym Chepkov --- On Sat, 7/4/09, Dominick Grift <domg472@xxxxxxxxx> wrote: > From: Dominick Grift <domg472@xxxxxxxxx> > Subject: Re: Domain transition missing > To: "Vadym Chepkov" <chepkov@xxxxxxxxx> > Cc: "Fedora SELinux" <fedora-selinux-list@xxxxxxxxxx> > Date: Saturday, July 4, 2009, 9:28 AM > On Sat, 2009-07-04 at 06:18 -0700, > Vadym Chepkov wrote: > > That would be unfortunate. Mine approach is not > uncommon. If you look closely you will see the same > technique in wast scripts. spamassassin restarts itself when > it updates anti-spam rules, clamav does that (antivirus) and > on and on. I use Fedora 11, by the way. > > > > For now, instead of creating a new policy I just added > 'runcon -t unconfind_t ' in the cron, and it seemed to did > the trick. > > > > Sincerely yours, > > Vadym Chepkov > > > > Looking here: > http://oss.tresys.com/projects/refpolicy/browser/trunk/policy/modules/services/cron.if > line 235 to line 269. > > That seems like a interface one might use in your > situation: > > cron_system_entry(winbind_t, winbind_exec_t) > > I admit that using cron with SELinux is not very easy > currently > > > --- On Sat, 7/4/09, Dominick Grift <domg472@xxxxxxxxx> > wrote: > > > > > From: Dominick Grift <domg472@xxxxxxxxx> > > > Subject: Re: Domain transition missing > > > To: "Vadym Chepkov" <chepkov@xxxxxxxxx> > > > Cc: "Fedora SELinux" <fedora-selinux-list@xxxxxxxxxx> > > > Date: Saturday, July 4, 2009, 8:57 AM > > > On Sat, 2009-07-04 at 05:48 -0700, > > > Vadym Chepkov wrote: > > > > I really get used to running my scripts > unconfined, > > > how I can accomplish it in this scenario? > > > > > > > > Sincerely yours, > > > > Vadym Chepkov > > > > > > > > > > if you want the system to run jobs you will need > to write > > > some policy or > > > extend the system_cronjob_t domain i think > > > > > > > > > Were those the only avc denial you got? I would > expect more > > > denials. > > > > > > > --- On Sat, 7/4/09, Dominick Grift <domg472@xxxxxxxxx> > > > wrote: > > > > > > > > > From: Dominick Grift <domg472@xxxxxxxxx> > > > > > Subject: Re: Domain transition missing > > > > > To: "Vadym Chepkov" <chepkov@xxxxxxxxx> > > > > > Cc: "Fedora SELinux" <fedora-selinux-list@xxxxxxxxxx> > > > > > Date: Saturday, July 4, 2009, 8:41 AM > > > > > On Sat, 2009-07-04 at 14:38 +0200, > > > > > Dominick Grift wrote: > > > > > > On Sat, 2009-07-04 at 05:11 -0700, > Vadym > > > Chepkov > > > > > wrote: > > > > > > > Hi, > > > > > > > > > > > > > > Last night I got a nasty > surprise from > > > selinux. I > > > > > am using winbind for external > authentication and > > > since it > > > > > has history of failures I have a simple > watchdog > > > implemented > > > > > to check the status and restart it if > necessary. > > > That > > > > > is what happened last night and > as a law > > > abiding > > > > > selinux citizen I used 'service winbind > restart', > > > but it > > > > > seems the proper domain transitions is > missing > > > and winbind > > > > > was started in system_cronjob_t domain > instead of > > > winbind_t > > > > > and none of other domains could connect > to it. > > > > > > > > > > > > > > I think jobs running from > cron should > > > be granted > > > > > the same transition rules as > from > > > unconfined_t. > > > > > > > > > > > > > > I will file bugzilla report > about it, > > > but could > > > > > somebody help me with modifying my > local policy > > > until/if it > > > > > gets implemented, please? Thank you. > > > > > > > > > > > > > > Sincerely yours, > > > > > > > Vadym > Chepkov > > > > > > > > > > > > A domain transition would be: > > > > > > > > > > > > policy_module(mywinbind, 0.0.1) > > > > > > > > > > > > require { type system_cronjob_t, > > > winbind_exec_t, > > > > > winbind_t; } > > > > > > > domain_auto_trans(system_cronjob_t, > > > winbind_exec_t, > > > > > winbind_t) > > > > > > > > > > > > Can you show us the full raw avc > denial? > > > > > > > > > > > > > > > But personally would deal with this in > a > > > different way. I > > > > > would write > > > > > policy for the script that restarts > winbind and > > > then i > > > > > would create a > > > > > domain transition for the domain in > which the > > > script runs > > > > > to winbind_t. > > > > > > > > > > Mainly because i wouldnt want to > extend/modify > > > > > system_cronjob_t > > > > > > > > > > So: system_cronjob_t -> > myscript_exec_t -> > > > myscript_t > > > > > -> winbind_exec_t > > > > > -> winbind_t > > > > > > > > > > > > -- > > > > > > > fedora-selinux-list mailing > list > > > > > > > fedora-selinux-list@xxxxxxxxxx > > > > > > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > > > > > > > > > > > > > > > > > > > > > > > -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
