Re: add a transition rule

From: Dominick Grift <domg472(a)gmail.com&gt; Subject: Re: add a transition rule To: "Vadym Chepkov" <chepkov(a)yahoo.com&gt; Cc: "Fedora SELinux" <fedora-selinux-list(a)redhat.com&gt; Date: Sunday, July 19, 2009, 7:06 AM On Sat, 2009-07-18 at 20:35 -0700, Vadym Chepkov wrote: > Hi, > > I have a script, executed by apache, which is running in httpd_svn_script_t domain. This script calls svn-mailer(bin_t) which in turns calls /usr/sbin/sendmail.sendmail(sendmail_exec_t) and since there is no transition defined, sendmail still runs in httpd_svn_script_t and I get humongous amount of avc's. What would be the proper rule to add to the local policy to make sendmail running in the proper domain, sendmail_t? > And for that matter if httpd_can_sendmail --> on, shouldn't it be happening automatically? Thank you. Not sure about all this (sesearch and review of source policy might reveal the answer). I am not in my usual location so i cannot verify at the moment, however my personal opinion is that you might as well write some policy yourself to make this happen. Those httpd booleans are generally coarse grained. If you write a policy for your script and do a transition from httpd_svn_script_t to myscript_t and than allow myscript_t to transition to the mail domain (probably something like sendmail_domtrans(myscript_t)). That way you do not pollute your httpd_svn_script_t domain too much with access vectors that are really meant for your script and not svn. > Sincerely yours, >   Vadym Chepkov > > -- > fedora-selinux-list mailing list > fedora-selinux-list(a)redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list