I have a service (stunnel) that runs in a confined domain (stunnel_t).
Due to changes in Fedora's systemwide cryptographic policy, I need to
run this service under the "legacy" cryptographic policy, using the
'runcp' wrapper[1].
So my idea is to create new domain for the wrapper (runcp_t or similar),
give that domain the permissions required to perform its functions, and
then use a type transition rule to run the actual service in its normal
domain.
It's simple enough to write a type transition rule for a specific
service, e.g.:
type_transition runcp_t stunnel_exec_t:process stunnel_t;
However, it would obviously be nice to allow the wrapper to be used
without the need for service-specific rules.
Any service that normally runs in a confined domain presumably already
provides a type transition rule for the init system, e.g.:
type_transition init_t stunnel_exec_t:process stunnel_t;
Is there some way that I can make the wrapper take advantage of these
rules, possibly by transitioning back to init_t?
[1]
https://gitlab.com/redhat-crypto/crypto-policies-extras/-/blob/main/runcp.c
--
========================================================================
If your user interface is intuitive in retrospect ... it isn't intuitive
========================================================================
