Ian Pilcher <arequipeno@xxxxxxxxx> writes: > I have a service (stunnel) that runs in a confined domain (stunnel_t). > > Due to changes in Fedora's systemwide cryptographic policy, I need to > run this service under the "legacy" cryptographic policy, using the > 'runcp' wrapper[1]. > > So my idea is to create new domain for the wrapper (runcp_t or similar), > give that domain the permissions required to perform its functions, and > then use a type transition rule to run the actual service in its normal > domain. > > It's simple enough to write a type transition rule for a specific > service, e.g.: > > type_transition runcp_t stunnel_exec_t:process stunnel_t; > > However, it would obviously be nice to allow the wrapper to be used > without the need for service-specific rules. > > Any service that normally runs in a confined domain presumably already > provides a type transition rule for the init system, e.g.: > > type_transition init_t stunnel_exec_t:process stunnel_t; > > Is there some way that I can make the wrapper take advantage of these > rules, possibly by transitioning back to init_t? You can label the runcp command with a private executable file type and then allow systemd to execute it without a transition effectively running runcp in init_t just like systemd. Then when runcp executes stunnel it should transparently transition from init_t to stunnel_t as if runcp was not there. > > [1] > https://gitlab.com/redhat-crypto/crypto-policies-extras/-/blob/main/runcp.c -- gpg --locate-keys dominick.grift@xxxxxxxxxxx (wkd) Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098 Dominick Grift Mastodon: @kcinimod@xxxxxxxxxxx
