Hi,
My policy is very simplistic
local.te
apache_content_template(svn)
domain_auto_trans(httpd_svn_script_t, sendmail_exec_t, sendmail_t)
local.fc
# svn
/var/svn(/.*)?
gen_context(system_u:object_r:httpd_svn_script_ro_t,s0)
/var/svn/(.*/)?hooks(/.*)?
gen_context(system_u:object_r:httpd_svn_script_exec_t,s0)
/var/svn/(.*/)?dav(/.*)?
gen_context(system_u:object_r:httpd_svn_script_rw_t,s0)
/var/svn/(.*/)?locks(/.*)?
gen_context(system_u:object_r:httpd_svn_script_rw_t,s0)
/var/svn/(.*/)?db(/.*)?
gen_context(system_u:object_r:httpd_svn_script_rw_t,s0)
Works well
Sincerely yours,
Vadym Chepkov
--- On Tue, 7/28/09, Paul Howarth <paul(a)city-fan.org> wrote:
From: Paul Howarth <paul(a)city-fan.org>
Subject: Re: add a transition rule
To: "Vadym Chepkov" <chepkov(a)yahoo.com>
Cc: "Fedora SELinux" <fedora-selinux-list(a)redhat.com>
Date: Tuesday, July 28, 2009, 9:46 AM
Hi Vadym,
On 19/07/09 04:35, Vadym Chepkov wrote:
> I have a script, executed by apache, which is running
in httpd_svn_script_t domain. This script calls
svn-mailer(bin_t) which in turns calls
/usr/sbin/sendmail.sendmail(sendmail_exec_t) and since there
is no transition defined, sendmail still runs in
httpd_svn_script_t and I get humongous amount of avc's. What
would be the proper rule to add to the local policy to make
sendmail running in the proper domain, sendmail_t?
> And for that matter if httpd_can_sendmail -->
on, shouldn't it be happening automatically? Thank you.
>
> Sincerely yours,
> Vadym Chepkov
I'm just back off vacation and saw your email. Funnily
enough I wrote an svnmailer policy a few weeks ago, so it
would be interesting to compare notes:
I've actually split it into two modules, svnmailer for the
policy itself, and svnmailer-extras for additional
interfaces needed in other policy modules. I find this
arrangement is easier to manage when getting policy merged
upstream.
I made my hook scripts httpd_sys_script_exec_t and
transition from there to httpd_svnmailer_script_t via a
domtrans. The svn repository itself is
httpd_sys_content_rw_t.
Paul.