add a transition rule
Paul Howarth
paul at city-fan.org
Tue Jul 28 13:46:47 UTC 2009
Hi Vadym,
On 19/07/09 04:35, Vadym Chepkov wrote:
> I have a script, executed by apache, which is running in httpd_svn_script_t domain. This script calls svn-mailer(bin_t) which in turns calls /usr/sbin/sendmail.sendmail(sendmail_exec_t) and since there is no transition defined, sendmail still runs in httpd_svn_script_t and I get humongous amount of avc's. What would be the proper rule to add to the local policy to make sendmail running in the proper domain, sendmail_t?
> And for that matter if httpd_can_sendmail --> on, shouldn't it be happening automatically? Thank you.
>
> Sincerely yours,
> Vadym Chepkov
I'm just back off vacation and saw your email. Funnily enough I wrote an
svnmailer policy a few weeks ago, so it would be interesting to compare
notes:
I've actually split it into two modules, svnmailer for the policy
itself, and svnmailer-extras for additional interfaces needed in other
policy modules. I find this arrangement is easier to manage when getting
policy merged upstream.
I made my hook scripts httpd_sys_script_exec_t and transition from there
to httpd_svnmailer_script_t via a domtrans. The svn repository itself is
httpd_sys_content_rw_t.
Paul.
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: svnmailer.fc
Url: http://lists.fedoraproject.org/pipermail/selinux/attachments/20090728/9e8fd3e0/attachment.pl
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: svnmailer.if
Url: http://lists.fedoraproject.org/pipermail/selinux/attachments/20090728/9e8fd3e0/attachment-0001.pl
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: svnmailer.te
Url: http://lists.fedoraproject.org/pipermail/selinux/attachments/20090728/9e8fd3e0/attachment-0002.pl
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: svnmailer-extras.fc
Url: http://lists.fedoraproject.org/pipermail/selinux/attachments/20090728/9e8fd3e0/attachment-0003.pl
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: svnmailer-extras.if
Url: http://lists.fedoraproject.org/pipermail/selinux/attachments/20090728/9e8fd3e0/attachment-0004.pl
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: svnmailer-extras.te
Url: http://lists.fedoraproject.org/pipermail/selinux/attachments/20090728/9e8fd3e0/attachment-0005.pl
More information about the selinux
mailing list