Help with domain transitions

[David Hampton]

I'm having trouble getting exim to consistently transition domains so I
can work on a new policy.  I'm probably overlooking something simple
here, but I can't figure out what.

I started with the targeted policy on an up to date FC3 system.  In my
new exim.te file, I have a daemon_domain(exim, ...) declaration, which
yields (among other things) the following in the policy.conf file when I
run make:

type exim_exec_t, file_type, sysadmfile, exec_type;
allow initrc_t exim_exec_t:file { { read getattr lock execute ioctl }
execute_no_trans };
allow sysadm_t exim_exec_t:file { { read getattr lock execute ioctl }
execute_no_trans };
allow initrc_t exim_exec_t:file { read { getattr execute } };
allow exim_t exim_exec_t:file { read getattr lock execute ioctl };
allow exim_t exim_exec_t:file entrypoint;
type_transition initrc_t exim_exec_t:process exim_t;

The executable is correctly labeled:

-rwsr-xr-x root root system_u:object_r:exim_exec_t /usr/sbin/exim

I have run 'make reload', and /var/log/messages shows that the new
policy file was loaded.  However, when I run exim it still always ends
up in the unconfined_t domain.  It doesn't matter if I use 'service exim
restart', 'run_init service exim restart', or start exim by hand.

If I do a 'make fixfiles' then everything starts working as expected,
and all three ways of starting exim cause the transition to occur into
the exim_t domain.

Perhaps this is because I forcefully (rpm -U --force) reinstalled the
selinux-policy-targeted RPM the other night after I finished testing
things?  Something's definitely fubar on my system.

David

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20050126/09b695f5/attachment.bin