On Fri, 2007-01-26 at 10:48 -0800, Michael Thomas wrote:
That explains this:
type=AVC msg=audit(1169836492.684:217): avc: denied { entrypoint } for
pid=3542 comm="runcon" name="python" dev=dm-0 ino=3312390
scontext=user_u:system_r:pokerd_t:s0 tcontext=system_u:object_r:bin_t:s0
tclass=file
Couldn't I just add this to my policy file, or is it too dangerous?:
allow pokerd_t bin_t:file entrypoint;
It doesn't make much difference in this case, since it is a script and
it isn't particularly privileged (any more so than the caller). But use
the refpolicy interface instead:
domain_entry_file(pokerd_t, bin_t)
That won't work in this case, unfortunately. The full command
that I'm
running is:
/usr/bin/python /usr/bin/twistd
--pidfile=/var/run/poker-network/poker-server.pid --python
/usr/lib/python2.5/site-packages/pokernetwork/pokerserver.py --...
It's a python script framework (twistd) that is invoking the real
application specified on the command line. As before, it wouldn't make
sense to label the entire framework. I'm working with the app
developers to see if they can work around this and invoke the script
directly, but for now I have to assume that it might not be an option.
Ok.
--
Stephen Smalley
National Security Agency