Re: Domain transition missing

[Daniel J Walsh <dwalsh@xxxxxxxxxx>]

On 07/04/2009 08:48 AM, Vadym Chepkov wrote:
> I really get used to running my scripts unconfined, how I can accomplish it in this scenario?
>
> Sincerely yours,
>    Vadym Chepkov
>
>
> --- On Sat, 7/4/09, Dominick Grift<domg472@xxxxxxxxx>  wrote:
>
> > From: Dominick Grift<domg472@xxxxxxxxx>
> > Subject: Re: Domain transition missing
> > To: "Vadym Chepkov"<chepkov@xxxxxxxxx>
> > Cc: "Fedora SELinux"<fedora-selinux-list@xxxxxxxxxx>
> > Date: Saturday, July 4, 2009, 8:41 AM
> > On Sat, 2009-07-04 at 14:38 +0200,
> > Dominick Grift wrote:
> > > On Sat, 2009-07-04 at 05:11 -0700, Vadym Chepkov
> > wrote:
> > > > Hi,
> > > >
> > > > Last night I got a nasty surprise from selinux. I
> > am using winbind for external authentication and since it
> > has history of failures I have a simple watchdog implemented
> > to check the status and restart it if necessary. That
> > is  what happened last night and as a law abiding
> > selinux citizen I used 'service winbind restart', but it
> > seems the proper domain transitions is missing and winbind
> > was started in system_cronjob_t domain instead of winbind_t
> > and none of other domains could connect to it.
> > > > I think jobs running from cron should be granted
> > the same transition rules as  from unconfined_t.
> > > > I will file bugzilla report about it, but could
> > somebody help me with modifying my local policy until/if it
> > gets implemented, please? Thank you.
> > > > Sincerely yours,
> > > >     Vadym Chepkov
> > > A domain transition would be:
> > >
> > > policy_module(mywinbind, 0.0.1)
> > >
> > > require { type system_cronjob_t, winbind_exec_t,
> > winbind_t; }
> > > domain_auto_trans(system_cronjob_t, winbind_exec_t,
> > winbind_t)
> > > Can you show us the full raw avc denial?
> >
> > But personally would deal with this in a different way. I
> > would write
> > policy for the script that restarts winbind and then i
> > would create a
> > domain transition for the domain in which the script runs
> > to winbind_t.
> >
> > Mainly because i wouldnt want to extend/modify
> > system_cronjob_t
> >
> > So: system_cronjob_t ->  myscript_exec_t ->  myscript_t
> > ->  winbind_exec_t
> > ->  winbind_t
> >
> > > > --
> > > > fedora-selinux-list mailing list
> > > > fedora-selinux-list@xxxxxxxxxx
> > > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list


It looks like standard SELinux policy should have allowed

system_cronjob_t to transition to initrc_t when executing an initrc 
script.  How is the windbind script labeled?

ls -lZ /etc/init.d/winbind
-rwxr-xr-x. root root system_u:object_r:samba_initrc_exec_t:s0 
/etc/init.d/winbind

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list