On Fri, 2007-01-26 at 12:54 -0500, Stephen Smalley wrote:
On Fri, 2007-01-26 at 09:36 -0800, Michael Thomas wrote:
> I'm working on selinux protection for a python script daemon that is
> started inside of an init.d script. Inside the init.d script the python
> daemon is invoked as:
> python myscript.py --daemon --pid=... --log=...
> I'd like to have this process run under its own domain. The worst thing
> I could do is to relabel python with that domain, but that would just be
> really bad and sloppy, and not really an option.
> Another option that I've gotten to work is to use a wrapper shell script
> to invoke the python commands. The init.d script invokes the wrapper
> script, which is labeled with the desired domain.
> But I was wondering of there was another way to get myscript.py to run
> under a specific domain without using an application-specific wrapper.
> Something like 'sedomainexec myappd_t python myscript.py --daemon ...'
> Is the wrapper script my only option?
If myscript.py starts with #!//usr/bin/python -E, then you can just
label the file with an appropriate _exec_t type and have it
automatically transition into its own domain. SELinux supports domain
transitions on scripts (unlike setuid), although naturally you should
only do that when you trust the calling domain.
Of course, this only happens upon direct execution of the script, not
when you just pass it as an argument to python.
You can also use runcon -t to manually launch a program of any kind in a
National Security Agency