To domain transition or not?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I have a general question, followed by a couple more specific questions.
When creating domains for programs that use linux cmds like ping or
hostname, which have their own domains, I'm faced with the choice having
those programs run in my domain or in the domain of the linux cmd. What
is the better approach?

Take "ping" for example. We have a program (MonitorSvcUtil) that uses
ping and runs in a domain I've created called monitorsvcutil_t.
Depending on whether I use the netutils_exec_ping or
netutils_domtrans_ping interface, I can have our program execute ping in
the monitorsvcutil_t domain, or do a domain transition into the ping_t.
I would think the latter approach would be better, since ping is then
running in a domain specifically designed for it and I can avoid having
to give the monitorsvcutil_t domain the privileges needed to run ping.

When I try the latter approach I'm wondering why I run into the
following denials:

type=AVC msg=audit(1213025579.772:9476): avc:  denied  { read write }
for  pid=2238 comm="ping" path="socket:[6024549]" dev=sockfs ino=6024549
scontext=root:staff_r:ping_t:s0-s4:c0.c255
tcontext=root:staff_r:monitorsvcutil_t:s0-s4:c0.c255 tclass=tcp_socket

type=AVC msg=audit(1213025579.030:9446): avc:  denied  { append } for
pid=2233 comm="ping"
path="/opt/nl/nltmp/clarkson/NLdata/.mbdev2_2008Jun09_1527_1415.txt"
dev=sda8 ino=684396 scontext=root:staff_r:ping_t:s0-s4:c0.c255
tcontext=root:object_r:nl_tmp_data_t:s0 tclass=file

The first denial surprises me because I would have thought that the ping
program would be creating its own TCP socket and thus I would not expect
the socket to be labeled with the monitorsvcutil_t type.

The second denial surprises me because the ping program does not have
anything to do with the ".mbdev2_2008Jun09_1527_1415.txt" file. This
seems to indicate that once the ping process completes and returns to
the MonitorSvcUtil process, the domain remains ping_t rather than
returning to monitorsvcutil_t.

Thanks




--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux