On Sat, 2009-07-04 at 14:38 +0200, Dominick Grift wrote:
On Sat, 2009-07-04 at 05:11 -0700, Vadym Chepkov wrote:
> Hi,
>
> Last night I got a nasty surprise from selinux. I am using winbind for external
authentication and since it has history of failures I have a simple watchdog implemented
to check the status and restart it if necessary. That is what happened last night and as
a law abiding selinux citizen I used 'service winbind restart', but it seems the
proper domain transitions is missing and winbind was started in system_cronjob_t domain
instead of winbind_t and none of other domains could connect to it.
>
> I think jobs running from cron should be granted the same transition rules as from
unconfined_t.
>
> I will file bugzilla report about it, but could somebody help me with modifying my
local policy until/if it gets implemented, please? Thank you.
>
> Sincerely yours,
> Vadym Chepkov
A domain transition would be:
policy_module(mywinbind, 0.0.1)
require { type system_cronjob_t, winbind_exec_t, winbind_t; }
domain_auto_trans(system_cronjob_t, winbind_exec_t, winbind_t)
Can you show us the full raw avc denial?
But personally would deal with this in a different way. I would write
policy for the script that restarts winbind and then i would create a
domain transition for the domain in which the script runs to winbind_t.
Mainly because i wouldnt want to extend/modify system_cronjob_t
So: system_cronjob_t -> myscript_exec_t -> myscript_t -> winbind_exec_t
-> winbind_t
> --
> fedora-selinux-list mailing list
> fedora-selinux-list(a)redhat.com
>
https://www.redhat.com/mailman/listinfo/fedora-selinux-list