On Sat, 2009-07-18 at 20:35 -0700, Vadym Chepkov wrote:
I have a script, executed by apache, which is running in httpd_svn_script_t domain. This
script calls svn-mailer(bin_t) which in turns calls
/usr/sbin/sendmail.sendmail(sendmail_exec_t) and since there is no transition defined,
sendmail still runs in httpd_svn_script_t and I get humongous amount of avc's. What
would be the proper rule to add to the local policy to make sendmail running in the proper
And for that matter if httpd_can_sendmail --> on, shouldn't it be happening
automatically? Thank you.
Not sure about all this (sesearch and review of source
reveal the answer). I am not in my usual location so i cannot verify at
the moment, however my personal opinion is that you might as well write
some policy yourself to make this happen. Those httpd booleans are
generally coarse grained.
If you write a policy for your script and do a transition from
httpd_svn_script_t to myscript_t and than allow myscript_t to transition
to the mail domain (probably something like
sendmail_domtrans(myscript_t)). That way you do not pollute your
httpd_svn_script_t domain too much with access vectors that are really
meant for your script and not svn.
fedora-selinux-list mailing list