On Fri, Jun 7, 2019 at 11:31 AM Marko Rauhamaa <marko(a)pacujo.net> wrote:
I have a service I want to start from systemd. The service startup goes
like this:
systemd ----> prog1[label: usr_t] ----> prog2[label: antivirus_exec_t]
However, Fedora's SELinux policies prevent prog2 from starting. If I
change prog2's label to bin_t or usr_t, the service starts fine.
What in Fedora's policies bans antivirus_exec_t from running?
Should I introduce a custom policy that allows that startup combination?
If so, can you tell me what that rule would look like (or what document
would give me the instructions). I already have a simple .te policy so I
know the very basics.
Or should I just label the file with bin_t and be done with it?
Hi Marko,
There is a type transition which makes a usr_t prog1 end up in
unconfined_service_t domain:
# sesearch -T -s init_t -t usr_t -c process
type_transition init_t usr_t:process unconfined_service_t;
but a transition from antivirus_exec_t is defined only for a bunch of
domains:
# sesearch -T -t antivirus_exec_t -c process
type_transition cluster_t antivirus_exec_t:process antivirus_t;
type_transition condor_startd_t antivirus_exec_t:process antivirus_t;
type_transition crond_t antivirus_exec_t:process antivirus_t;
type_transition exim_t antivirus_exec_t:process antivirus_t;
type_transition glusterd_t antivirus_exec_t:process antivirus_t;
type_transition httpd_sys_script_t antivirus_exec_t:process antivirus_t;
type_transition httpd_t antivirus_exec_t:process antivirus_t;
type_transition init_t antivirus_exec_t:process antivirus_t;
type_transition initrc_t antivirus_exec_t:process antivirus_t;
type_transition kdumpctl_t antivirus_exec_t:process antivirus_t;
type_transition mscan_t antivirus_exec_t:process antivirus_t;
type_transition openshift_initrc_t antivirus_exec_t:process antivirus_t;
type_transition piranha_pulse_t antivirus_exec_t:process antivirus_t;
type_transition procmail_t antivirus_exec_t:process antivirus_t;
type_transition system_cronjob_t antivirus_exec_t:process antivirus_t;
BTW, this is not a sysadmin question. Rather it's a product
installation
question; the product should work out of the box on Fedora.
The proper way how to start a service is using a service unit, in that case
it works out of the box. We cannot however suggest any solution without
further information about your setup.
Marko
_______________________________________________
selinux mailing list -- selinux(a)lists.fedoraproject.org
To unsubscribe send an email to selinux-leave(a)lists.fedoraproject.org
Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject...
--
Zdenek Pytela
SELinux product owner and Senior software engineer, Security technologies
E-mail: zpytela(a)redhat.com, IRC: zpytela