Re: add a transition rule

Vadym Chepkov <chepkov@xxxxxxxxx> · Mon, 3 Aug 2009 06:25:59 -0700 (PDT)



Hi,

My policy is very simplistic

local.te
apache_content_template(svn)
domain_auto_trans(httpd_svn_script_t, sendmail_exec_t, sendmail_t)

local.fc
# svn
/var/svn(/.*)?                                                  gen_context(system_u:object_r:httpd_svn_script_ro_t,s0)
/var/svn/(.*/)?hooks(/.*)?                          gen_context(system_u:object_r:httpd_svn_script_exec_t,s0)
/var/svn/(.*/)?dav(/.*)?                            gen_context(system_u:object_r:httpd_svn_script_rw_t,s0)
/var/svn/(.*/)?locks(/.*)?                          gen_context(system_u:object_r:httpd_svn_script_rw_t,s0)
/var/svn/(.*/)?db(/.*)?                             gen_context(system_u:object_r:httpd_svn_script_rw_t,s0)

Works well

Sincerely yours,
  Vadym Chepkov


--- On Tue, 7/28/09, Paul Howarth <paul@xxxxxxxxxxxx> wrote:

> From: Paul Howarth <paul@xxxxxxxxxxxx>
> Subject: Re: add a transition rule
> To: "Vadym Chepkov" <chepkov@xxxxxxxxx>
> Cc: "Fedora SELinux" <fedora-selinux-list@xxxxxxxxxx>
> Date: Tuesday, July 28, 2009, 9:46 AM
> Hi Vadym,
> 
> On 19/07/09 04:35, Vadym Chepkov wrote:
> > I have a script, executed by apache, which is running
> in httpd_svn_script_t domain. This script calls
> svn-mailer(bin_t) which in turns calls
> /usr/sbin/sendmail.sendmail(sendmail_exec_t) and since there
> is no transition defined, sendmail still runs in
> httpd_svn_script_t and I get humongous amount of avc's. What
> would be the proper rule to add to the local policy to make
> sendmail running in the proper domain, sendmail_t?
> > And for that matter if httpd_can_sendmail --> 
> on, shouldn't it be happening automatically? Thank you.
> > 
> > Sincerely yours,
> >    Vadym Chepkov
> 
> I'm just back off vacation and saw your email. Funnily
> enough I wrote an svnmailer policy a few weeks ago, so it
> would be interesting to compare notes:
> 
> I've actually split it into two modules, svnmailer for the
> policy itself, and svnmailer-extras for additional
> interfaces needed in other policy modules. I find this
> arrangement is easier to manage when getting policy merged
> upstream.
> 
> I made my hook scripts httpd_sys_script_exec_t and
> transition from there to httpd_svnmailer_script_t via a
> domtrans. The svn repository itself is
> httpd_sys_content_rw_t.
> 
> Paul.
> 

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list