Re: I need a script invoked from procmail_t to run unconfined.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/07/2013 09:42 AM, Robert Nichols wrote:
> On 05/06/2013 11:40 AM, Daniel J Walsh wrote:
>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>> 
>> On 05/02/2013 05:53 PM, Robert Nichols wrote:
>>> On 05/02/2013 12:58 AM, Miroslav Grepl wrote:
>>>> I would go with a different way and create a new domain - 
>>>> procmail_unconfined_t and make this domain as unconfined domain.
>>>> 
>>>> # cat myprocmail.te
>>>> 
>>>> require{ type procmail_t; }
>>>> 
>>>> type procmail_unconfined_exec_t; 
>>>> application_executable_file(procmail_unconfined_exec_t)
>>>> 
>>>> optional_policy(` type procmail_unconfined_t; 
>>>> domain_type(procmail_unconfined_t)
>>>> 
>>>> domain_entry_file(procmail_unconfined_t, procmail_unconfined_exec_t)
>>>> role system_r types procmail_unconfined_t;
>>>> 
>>>> domtrans_pattern(procmail_t, procmail_unconfined_exec_t, 
>>>> procmail_unconfined_t)
>>>> 
>>>> allow procmail_t procmail_unconfined_exec_t:dir search_dir_perms;
>>>> allow procmail_t procmail_unconfined_exec_t:dir read_file_perms;
>>>> allow procmail_t procmail_unconfined_exec_t:file ioctl;
>>>> 
>>>> init_domtrans_script(procmail_unconfined_t)
>>>> 
>>>> optional_policy(` unconfined_domain(procmail_unconfined_t) ') ')
>>>> 
>>>> # make -f /usr/share/selinux/devel/Makefile mytest.pp # sudo semodule
>>>> -i mytest.pp # chcon -t procmail_unconfined_exec_t
>>>> PATH_TO_YOU_SCRIPTS
>>> 
>>> Thanks, I _think_ that's basically what I ended up doing. [copied from
>>> my previous post]:
>>> 
>>> policy_module(procmail_uncon, 1.0.18)
>>> 
>>> gen_require(` type unconfined_t; type unconfined_exec_t; type
>>> procmail_t; role system_r; ')
>>> 
>>> type my_uncon_exec_t; files_type(my_uncon_exec_t)
>>> 
>>> allow procmail_t unconfined_t : process { transition sigchld }; 
>>> domain_auto_trans(procmail_t, my_uncon_exec_t, unconfined_t) role
>>> system_r types unconfined_t;
>>> 
>> One difference between what Miroslav showed and you did, was that your
>> new domain is now unconfined_t and might transition to another domain.
>> Whereas his would not, also any confined domain that was allowed to
>> communicate with unconfined_t would be able t communicate with your
>> domain.  They would not in Mirsoslav's case.
> 
> Then I'll definitely stick with what I've got since it makes everything
> work the same way it does when I invoke procmail from the command line.
> procmail transitions to procmail_t only when invoked from certain other
> confined domains, and that is a large part of what was making my life
> difficult in testing.  Now, my script runs the same whether procmail was
> running in domain procmail_t or unconfined_t.
> 

Ok, just wanted you to know the differences.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlGJCzsACgkQrlYvE4MpobOZ8wCg5P4gvaCaMrNDbhisxVQqsFj4
BzAAoMrP+IhlXQaEs9GVi27PLDzm6y2J
=UI0r
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux





[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux