On Fri, 2007-01-26 at 10:48 -0800, Michael Thomas wrote:
That explains this:
type=AVC msg=audit(1169836492.684:217): avc: denied { entrypoint } for pid=3542 comm="runcon" name="python" dev=dm-0 ino=3312390 scontext=user_u:system_r:pokerd_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file
Couldn't I just add this to my policy file, or is it too dangerous?:
allow pokerd_t bin_t:file entrypoint;
It doesn't make much difference in this case, since it is a script and it isn't particularly privileged (any more so than the caller). But use the refpolicy interface instead: domain_entry_file(pokerd_t, bin_t)
That won't work in this case, unfortunately. The full command that I'm running is:
/usr/bin/python /usr/bin/twistd --pidfile=/var/run/poker-network/poker-server.pid --python /usr/lib/python2.5/site-packages/pokernetwork/pokerserver.py --...
It's a python script framework (twistd) that is invoking the real application specified on the command line. As before, it wouldn't make sense to label the entire framework. I'm working with the app developers to see if they can work around this and invoke the script directly, but for now I have to assume that it might not be an option.
Ok.