Help with domain transitions
David Hampton
hampton at employees.org
Thu Jan 27 02:25:50 UTC 2005
I'm having trouble getting exim to consistently transition domains so I
can work on a new policy. I'm probably overlooking something simple
here, but I can't figure out what.
I started with the targeted policy on an up to date FC3 system. In my
new exim.te file, I have a daemon_domain(exim, ...) declaration, which
yields (among other things) the following in the policy.conf file when I
run make:
type exim_exec_t, file_type, sysadmfile, exec_type;
allow initrc_t exim_exec_t:file { { read getattr lock execute ioctl }
execute_no_trans };
allow sysadm_t exim_exec_t:file { { read getattr lock execute ioctl }
execute_no_trans };
allow initrc_t exim_exec_t:file { read { getattr execute } };
allow exim_t exim_exec_t:file { read getattr lock execute ioctl };
allow exim_t exim_exec_t:file entrypoint;
type_transition initrc_t exim_exec_t:process exim_t;
The executable is correctly labeled:
-rwsr-xr-x root root system_u:object_r:exim_exec_t /usr/sbin/exim
I have run 'make reload', and /var/log/messages shows that the new
policy file was loaded. However, when I run exim it still always ends
up in the unconfined_t domain. It doesn't matter if I use 'service exim
restart', 'run_init service exim restart', or start exim by hand.
If I do a 'make fixfiles' then everything starts working as expected,
and all three ways of starting exim cause the transition to occur into
the exim_t domain.
Perhaps this is because I forcefully (rpm -U --force) reinstalled the
selinux-policy-targeted RPM the other night after I finished testing
things? Something's definitely fubar on my system.
David
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20050126/09b695f5/attachment.bin
More information about the selinux
mailing list