On 4/29/20 11:47 AM, Stephen Smalley wrote:
Sounds similar to
https://lore.kernel.org/selinux/23A084A9-66A1-4E02-A766-F9214E63A628@xxxxxxxx/,
which may be due to a kernel change outside SELinux as per that thread.
Yes. That's exactly it.
It is logically correct since the new domain is executing from the interpreter.
Indeed. I was quite puzzled about how it ever worked.
You can reduce the scope by defining and assigning a specific type to
/usr/bin/python2.7
but obviously that will have a rippling impact on the rest of the policy.
That would undoubtedly be painful! For now, I've modified my systemd
service file to make a copy of the Python executable with the required
context, i.e.:
[Service]
Type=simple
PrivateTmp=true
ExecStartPre=/usr/bin/cp /usr/bin/python2 /tmp/python.denatc
ExecStartPre=/usr/bin/chcon -t denatc_exec_t /tmp/python.denatc
ExecStart=/tmp/python.denatc /usr/local/bin/denatc -d
ExecStartPost=/usr/bin/rm /tmp/python.denatc
Thanks!
--
========================================================================
In Soviet Russia, Google searches you!
========================================================================
