Re: I need a script invoked from procmail_t to run unconfined.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 05/06/2013 11:40 AM, Daniel J Walsh wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/02/2013 05:53 PM, Robert Nichols wrote:

On 05/02/2013 12:58 AM, Miroslav Grepl wrote:

I would go with a different way and create a new domain -
procmail_unconfined_t and make this domain as unconfined domain.

# cat myprocmail.te

require{ type procmail_t; }

type procmail_unconfined_exec_t;
application_executable_file(procmail_unconfined_exec_t)

optional_policy(` type procmail_unconfined_t;
domain_type(procmail_unconfined_t)

domain_entry_file(procmail_unconfined_t, procmail_unconfined_exec_t) role
system_r types procmail_unconfined_t;

domtrans_pattern(procmail_t, procmail_unconfined_exec_t,
procmail_unconfined_t)

allow procmail_t procmail_unconfined_exec_t:dir search_dir_perms; allow
procmail_t procmail_unconfined_exec_t:dir read_file_perms; allow
procmail_t procmail_unconfined_exec_t:file ioctl;

init_domtrans_script(procmail_unconfined_t)

optional_policy(` unconfined_domain(procmail_unconfined_t) ') ')

# make -f /usr/share/selinux/devel/Makefile mytest.pp # sudo semodule -i
mytest.pp # chcon -t procmail_unconfined_exec_t PATH_TO_YOU_SCRIPTS


Thanks, I _think_ that's basically what I ended up doing. [copied from my
previous post]:

policy_module(procmail_uncon, 1.0.18)

gen_require(` type unconfined_t; type unconfined_exec_t; type procmail_t;
role system_r; ')

type my_uncon_exec_t; files_type(my_uncon_exec_t)

allow procmail_t unconfined_t : process { transition sigchld };
domain_auto_trans(procmail_t, my_uncon_exec_t, unconfined_t) role system_r
types unconfined_t;


One difference between what Miroslav showed and you did, was that your new
domain is now unconfined_t and might transition to another domain.  Whereas
his would not, also any confined domain that was allowed to communicate with
unconfined_t would be able t communicate with your domain.  They would not in
Mirsoslav's case.


Then I'll definitely stick with what I've got since it makes everything work
the same way it does when I invoke procmail from the command line.  procmail
transitions to procmail_t only when invoked from certain other confined
domains, and that is a large part of what was making my life difficult in
testing.  Now, my script runs the same whether procmail was running in
domain procmail_t or unconfined_t.

--
Bob Nichols     "NOSPAM" is really part of my email address.
                Do NOT delete it.

--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux