On Fri, Jun 7, 2019 at 11:31 AM Marko Rauhamaa <marko(a)pacujo.net <mailto:marko@pacujo.net>> wrote: I have a service I want to start from systemd. The service startup goes like this:    systemd ----> prog1[label: usr_t] ----> prog2[label: antivirus_exec_t] However, Fedora's SELinux policies prevent prog2 from starting. If I change prog2's label to bin_t or usr_t, the service starts fine. What in Fedora's policies bans antivirus_exec_t from running? Should I introduce a custom policy that allows that startup combination? If so, can you tell me what that rule would look like (or what document would give me the instructions). I already have a simple .te policy so I know the very basics. Or should I just label the file with bin_t and be done with it? Hi Marko, There is a type transition which makes a usr_t prog1 end up in unconfined_service_t domain: # sesearch -T -s init_t -t usr_t -c process type_transition init_t usr_t:process unconfined_service_t; but a transition from antivirus_exec_t is defined only for a bunch of domains: # sesearch -T -t antivirus_exec_t -c process type_transition cluster_t antivirus_exec_t:process antivirus_t; type_transition condor_startd_t antivirus_exec_t:process antivirus_t; type_transition crond_t antivirus_exec_t:process antivirus_t; type_transition exim_t antivirus_exec_t:process antivirus_t; type_transition glusterd_t antivirus_exec_t:process antivirus_t; type_transition httpd_sys_script_t antivirus_exec_t:process antivirus_t; type_transition httpd_t antivirus_exec_t:process antivirus_t; type_transition init_t antivirus_exec_t:process antivirus_t; type_transition initrc_t antivirus_exec_t:process antivirus_t; type_transition kdumpctl_t antivirus_exec_t:process antivirus_t; type_transition mscan_t antivirus_exec_t:process antivirus_t; type_transition openshift_initrc_t antivirus_exec_t:process antivirus_t; type_transition piranha_pulse_t antivirus_exec_t:process antivirus_t; type_transition procmail_t antivirus_exec_t:process antivirus_t; type_transition system_cronjob_t antivirus_exec_t:process antivirus_t; BTW, this is not a sysadmin question. Rather it's a product installation question; the product should work out of the box on Fedora. The proper way how to start a service is using a service unit, in that case it works out of the box. We cannot however suggest any solution without further information about your setup.

Marko _______________________________________________ selinux mailing list -- selinux(a)lists.fedoraproject.org <mailto:selinux@lists.fedoraproject.org> To unsubscribe send an email to selinux-leave(a)lists.fedoraproject.org <mailto:selinux-leave@lists.fedoraproject.org> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject... -- Zdenek Pytela SELinux product owner and Senior software engineer, Security technologies E-mail: zpytela(a)redhat.com <mailto:zpytela@redhat.com>, IRC: zpytela _______________________________________________ selinux mailing list -- selinux(a)lists.fedoraproject.org To unsubscribe send an email to selinux-leave(a)lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject...