I created httpd_svn_script_t for this exact purpose, I don't
think another one is required.
sendmail_domtrans(httpd_svn_script_t) is the rule then?
Thank you, I will try it.
--- On Sun, 7/19/09, Dominick Grift <domg472(a)gmail.com> wrote:
> From: Dominick Grift <domg472(a)gmail.com>
> Subject: Re: add a transition rule
> To: "Vadym Chepkov" <chepkov(a)yahoo.com>
> Cc: "Fedora SELinux" <fedora-selinux-list(a)redhat.com>
> Date: Sunday, July 19, 2009, 7:06 AM
> On Sat, 2009-07-18 at 20:35 -0700,
> Vadym Chepkov wrote:
>> I have a script, executed by apache, which is running
> in httpd_svn_script_t domain. This script calls
> svn-mailer(bin_t) which in turns calls
> /usr/sbin/sendmail.sendmail(sendmail_exec_t) and since there
> is no transition defined, sendmail still runs in
> httpd_svn_script_t and I get humongous amount of avc's. What
> would be the proper rule to add to the local policy to make
> sendmail running in the proper domain, sendmail_t?
>> And for that matter if httpd_can_sendmail --> on,
> shouldn't it be happening automatically? Thank you.
> Not sure about all this (sesearch and review of source
> policy might
> reveal the answer). I am not in my usual location so i
> cannot verify at
> the moment, however my personal opinion is that you might
> as well write
> some policy yourself to make this happen. Those httpd
> booleans are
> generally coarse grained.
> If you write a policy for your script and do a transition
> httpd_svn_script_t to myscript_t and than allow myscript_t
> to transition
> to the mail domain (probably something like
> sendmail_domtrans(myscript_t)). That way you do not pollute
> httpd_svn_script_t domain too much with access vectors that
> are really
> meant for your script and not svn.
>> Sincerely yours,
>> Vadym Chepkov
>> fedora-selinux-list mailing list
fedora-selinux-list mailing list
probably better, since it will cover all possible mailers, not just sendmail