On 05/02/2013 12:58 AM, Miroslav Grepl wrote:
I would go with a different way and create a new domain - procmail_unconfined_t
and make this domain as unconfined domain.
# cat myprocmail.te
require{
type procmail_t;
}
type procmail_unconfined_exec_t;
application_executable_file(procmail_unconfined_exec_t)
optional_policy(`
type procmail_unconfined_t;
domain_type(procmail_unconfined_t)
domain_entry_file(procmail_unconfined_t, procmail_unconfined_exec_t)
role system_r types procmail_unconfined_t;
domtrans_pattern(procmail_t, procmail_unconfined_exec_t,
procmail_unconfined_t)
allow procmail_t procmail_unconfined_exec_t:dir search_dir_perms;
allow procmail_t procmail_unconfined_exec_t:dir read_file_perms;
allow procmail_t procmail_unconfined_exec_t:file ioctl;
init_domtrans_script(procmail_unconfined_t)
optional_policy(`
unconfined_domain(procmail_unconfined_t)
')
')
# make -f /usr/share/selinux/devel/Makefile mytest.pp
# sudo semodule -i mytest.pp
# chcon -t procmail_unconfined_exec_t PATH_TO_YOU_SCRIPTS
Thanks, I _think_ that's basically what I ended up doing.
[copied from my previous post]:
policy_module(procmail_uncon, 1.0.18)
gen_require(`
type unconfined_t;
type unconfined_exec_t;
type procmail_t;
role system_r;
')
type my_uncon_exec_t;
files_type(my_uncon_exec_t)
allow procmail_t unconfined_t : process { transition sigchld };
domain_auto_trans(procmail_t, my_uncon_exec_t, unconfined_t)
role system_r types unconfined_t;
--
Bob Nichols "NOSPAM" is really part of my email address.
Do NOT delete it.
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
