On 07/19/2009 09:33 AM, Vadym Chepkov wrote: > I created httpd_svn_script_t for this exact purpose, I don't think another one is required. > > sendmail_domtrans(httpd_svn_script_t) is the rule then? > Thank you, I will try it. > > Sincerely yours, > Vadym Chepkov > > > --- On Sun, 7/19/09, Dominick Grift <domg472@xxxxxxxxx> wrote: > >> From: Dominick Grift <domg472@xxxxxxxxx> >> Subject: Re: add a transition rule >> To: "Vadym Chepkov" <chepkov@xxxxxxxxx> >> Cc: "Fedora SELinux" <fedora-selinux-list@xxxxxxxxxx> >> Date: Sunday, July 19, 2009, 7:06 AM >> On Sat, 2009-07-18 at 20:35 -0700, >> Vadym Chepkov wrote: >>> Hi, >>> >>> I have a script, executed by apache, which is running >> in httpd_svn_script_t domain. This script calls >> svn-mailer(bin_t) which in turns calls >> /usr/sbin/sendmail.sendmail(sendmail_exec_t) and since there >> is no transition defined, sendmail still runs in >> httpd_svn_script_t and I get humongous amount of avc's. What >> would be the proper rule to add to the local policy to make >> sendmail running in the proper domain, sendmail_t? >>> And for that matter if httpd_can_sendmail --> on, >> shouldn't it be happening automatically? Thank you. >> Not sure about all this (sesearch and review of source >> policy might >> reveal the answer). I am not in my usual location so i >> cannot verify at >> the moment, however my personal opinion is that you might >> as well write >> some policy yourself to make this happen. Those httpd >> booleans are >> generally coarse grained. >> >> If you write a policy for your script and do a transition >> from >> httpd_svn_script_t to myscript_t and than allow myscript_t >> to transition >> to the mail domain (probably something like >> sendmail_domtrans(myscript_t)). That way you do not pollute >> your >> httpd_svn_script_t domain too much with access vectors that >> are really >> meant for your script and not svn. >> >>> Sincerely yours, >>> Vadym Chepkov >>> >>> -- >>> fedora-selinux-list mailing list >>> fedora-selinux-list@xxxxxxxxxx >>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list >> > > -- > fedora-selinux-list mailing list > fedora-selinux-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/fedora-selinux-list mta_send_mail is probably better, since it will cover all possible mailers, not just sendmail -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
