I am trying to write policy to constrain a perl program called
email2feedback.pl which runs from cron on CentOS 5.7. It persists in running in
scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 despite the following policy.
I suspect I have incorrectly configured the transition in email2feedback.if.
Any tips?
# ls -laZ /automated_tasks/email2feedback.pl
-rwxrwxr-x root treed system_u:object_r:email2feedback_exec_t:s0 /automated_tasks/email2feedback.pl
email2feedback.fc:
/automated_tasks/email2feedback.pl -- gen_context(system_u:object_r:email2feedback_exec_t,s0)
email2feedback.te:
policy_module(email2feedback, 1.0.0)
type email2feedback_t;
type email2feedback_exec_t;
require {
type automated_tasks_db_t;
}
domain_type(email2feedback_t)
domain_entry_file(email2feedback_t, email2feedback_exec_t)
allow email2feedback_t automated_tasks_db_t:file { read getattr ioctl };
email2feedback.if:
interface(`email2feedback_domtrans',`
gen_require(`
type email2feedback_t, email2feedback_exec_t;
')
domain_auto_trans($1,email2feedback_exec_t,email2feedback_t)
allow $1 email2feedback_t:fd use;
allow email2feedback_t $1:fd use;
')
# Let it switch from crond_t to email2feedback_t
ifdef(`crond.te', `
system_crond_entry(email2feedback_exec_t, email2feedback_t)
')
--
Tracy Reed
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
