I'm working on selinux protection for a python script daemon that is
started inside of an init.d script. Inside the init.d script the python
daemon is invoked as:
python myscript.py --daemon --pid=... --log=...
I'd like to have this process run under its own domain. The worst thing
I could do is to relabel python with that domain, but that would just be
really bad and sloppy, and not really an option.
Another option that I've gotten to work is to use a wrapper shell script
to invoke the python commands. The init.d script invokes the wrapper
script, which is labeled with the desired domain.
But I was wondering of there was another way to get myscript.py to run
under a specific domain without using an application-specific wrapper.
Something like 'sedomainexec myappd_t python myscript.py --daemon ...'
Is the wrapper script my only option?