I created httpd_svn_script_t for this exact purpose, I don't think another one is required. sendmail_domtrans(httpd_svn_script_t) is the rule then? Thank you, I will try it. Sincerely yours, Vadym Chepkov --- On Sun, 7/19/09, Dominick Grift <domg472@xxxxxxxxx> wrote: > From: Dominick Grift <domg472@xxxxxxxxx> > Subject: Re: add a transition rule > To: "Vadym Chepkov" <chepkov@xxxxxxxxx> > Cc: "Fedora SELinux" <fedora-selinux-list@xxxxxxxxxx> > Date: Sunday, July 19, 2009, 7:06 AM > On Sat, 2009-07-18 at 20:35 -0700, > Vadym Chepkov wrote: > > Hi, > > > > I have a script, executed by apache, which is running > in httpd_svn_script_t domain. This script calls > svn-mailer(bin_t) which in turns calls > /usr/sbin/sendmail.sendmail(sendmail_exec_t) and since there > is no transition defined, sendmail still runs in > httpd_svn_script_t and I get humongous amount of avc's. What > would be the proper rule to add to the local policy to make > sendmail running in the proper domain, sendmail_t? > > And for that matter if httpd_can_sendmail --> on, > shouldn't it be happening automatically? Thank you. > Not sure about all this (sesearch and review of source > policy might > reveal the answer). I am not in my usual location so i > cannot verify at > the moment, however my personal opinion is that you might > as well write > some policy yourself to make this happen. Those httpd > booleans are > generally coarse grained. > > If you write a policy for your script and do a transition > from > httpd_svn_script_t to myscript_t and than allow myscript_t > to transition > to the mail domain (probably something like > sendmail_domtrans(myscript_t)). That way you do not pollute > your > httpd_svn_script_t domain too much with access vectors that > are really > meant for your script and not svn. > > > Sincerely yours, > > Vadym Chepkov > > > > -- > > fedora-selinux-list mailing list > > fedora-selinux-list@xxxxxxxxxx > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
