On Fri, 2007-01-26 at 09:36 -0800, Michael Thomas wrote:
I'm working on selinux protection for a python script daemon that
started inside of an init.d script. Inside the init.d script the python
daemon is invoked as:
python myscript.py --daemon --pid=... --log=...
I'd like to have this process run under its own domain. The worst thing
I could do is to relabel python with that domain, but that would just be
really bad and sloppy, and not really an option.
Another option that I've gotten to work is to use a wrapper shell script
to invoke the python commands. The init.d script invokes the wrapper
script, which is labeled with the desired domain.
But I was wondering of there was another way to get myscript.py to run
under a specific domain without using an application-specific wrapper.
Something like 'sedomainexec myappd_t python myscript.py --daemon ...'
Is the wrapper script my only option?
If myscript.py starts with #!//usr/bin/python -E, then you can just
label the file with an appropriate _exec_t type and have it
automatically transition into its own domain. SELinux supports domain
transitions on scripts (unlike setuid), although naturally you should
only do that when you trust the calling domain.
You can also use runcon -t to manually launch a program of any kind in a
National Security Agency