On 6/10/19 9:48 AM, Zdenek Pytela wrote: > > > On Fri, Jun 7, 2019 at 11:31 AM Marko Rauhamaa <marko@xxxxxxxxxx > <mailto:marko@xxxxxxxxxx>> wrote: > > > I have a service I want to start from systemd. The service startup goes > like this: > > systemd ----> prog1[label: usr_t] ----> prog2[label: > antivirus_exec_t] > > However, Fedora's SELinux policies prevent prog2 from starting. If I > change prog2's label to bin_t or usr_t, the service starts fine. > > What in Fedora's policies bans antivirus_exec_t from running? > > Should I introduce a custom policy that allows that startup combination? > If so, can you tell me what that rule would look like (or what document > would give me the instructions). I already have a simple .te policy so I > know the very basics. > > Or should I just label the file with bin_t and be done with it? > > Hi Marko, > > There is a type transition which makes a usr_t prog1 end up in > unconfined_service_t domain: > > # sesearch -T -s init_t -t usr_t -c process > type_transition init_t usr_t:process unconfined_service_t; > > but a transition from antivirus_exec_t is defined only for a bunch of > domains: > > # sesearch -T -t antivirus_exec_t -c process > type_transition cluster_t antivirus_exec_t:process antivirus_t; > type_transition condor_startd_t antivirus_exec_t:process antivirus_t; > type_transition crond_t antivirus_exec_t:process antivirus_t; > type_transition exim_t antivirus_exec_t:process antivirus_t; > type_transition glusterd_t antivirus_exec_t:process antivirus_t; > type_transition httpd_sys_script_t antivirus_exec_t:process antivirus_t; > type_transition httpd_t antivirus_exec_t:process antivirus_t; > type_transition init_t antivirus_exec_t:process antivirus_t; > type_transition initrc_t antivirus_exec_t:process antivirus_t; > type_transition kdumpctl_t antivirus_exec_t:process antivirus_t; > type_transition mscan_t antivirus_exec_t:process antivirus_t; > type_transition openshift_initrc_t antivirus_exec_t:process antivirus_t; > type_transition piranha_pulse_t antivirus_exec_t:process antivirus_t; > type_transition procmail_t antivirus_exec_t:process antivirus_t; > type_transition system_cronjob_t antivirus_exec_t:process antivirus_t; > > > BTW, this is not a sysadmin question. Rather it's a product installation > question; the product should work out of the box on Fedora. > > The proper way how to start a service is using a service unit, in that > case it works out of the box. We cannot however suggest any solution > without further information about your setup. > There is several ways how to solve this. Your scenario: systemd[label: init_t] ----> prog1[label: usr_t] ----> prog2[label:antivirus_exec_t] What you can to is label prog1 as antivirus_exec_t like: systemd[label: init_t] ----> prog1[label: antivirus_exec_t] ----> prog2[label:antivirus_exec_t] Because of domain transition: # sesearch -T -s init_t -t antivirus_exec_t -c process type_transition init_t antivirus_exec_t:process antivirus_t; The first process will run as antivirus_t and then next one will also run as antivirus_t. Or you can specify new domain transitions to have something like: systemd[label: init_t] ----> prog1[label: antivirus_starter_exec_t] ----> prog2[label:antivirus_exec_t] But could you please share your use case? It would be helpful. Thanks, Lukas. > > > Marko > _______________________________________________ > selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx > <mailto:selinux@xxxxxxxxxxxxxxxxxxxxxxx> > To unsubscribe send an email to > selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx > <mailto:selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx> > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx > > > > -- > > Zdenek Pytela > SELinux product owner and Senior software engineer, Security technologies > E-mail: zpytela@xxxxxxxxxx <mailto:zpytela@xxxxxxxxxx>, IRC: zpytela > > _______________________________________________ > selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx > To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx > -- Lukas Vrabec Senior Software Engineer, Security Technologies Red Hat, Inc.
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
