I need a script invoked from procmail_t to run unconfined.
Robert Nichols
rnicholsNOSPAM at comcast.net
Thu May 2 21:53:22 UTC 2013
On 05/02/2013 12:58 AM, Miroslav Grepl wrote:
> I would go with a different way and create a new domain - procmail_unconfined_t
> and make this domain as unconfined domain.
>
> # cat myprocmail.te
>
> require{
> type procmail_t;
> }
>
> type procmail_unconfined_exec_t;
> application_executable_file(procmail_unconfined_exec_t)
>
> optional_policy(`
> type procmail_unconfined_t;
> domain_type(procmail_unconfined_t)
>
> domain_entry_file(procmail_unconfined_t, procmail_unconfined_exec_t)
> role system_r types procmail_unconfined_t;
>
> domtrans_pattern(procmail_t, procmail_unconfined_exec_t,
> procmail_unconfined_t)
>
> allow procmail_t procmail_unconfined_exec_t:dir search_dir_perms;
> allow procmail_t procmail_unconfined_exec_t:dir read_file_perms;
> allow procmail_t procmail_unconfined_exec_t:file ioctl;
>
> init_domtrans_script(procmail_unconfined_t)
>
> optional_policy(`
> unconfined_domain(procmail_unconfined_t)
> ')
> ')
>
> # make -f /usr/share/selinux/devel/Makefile mytest.pp
> # sudo semodule -i mytest.pp
> # chcon -t procmail_unconfined_exec_t PATH_TO_YOU_SCRIPTS
Thanks, I _think_ that's basically what I ended up doing.
[copied from my previous post]:
policy_module(procmail_uncon, 1.0.18)
gen_require(`
type unconfined_t;
type unconfined_exec_t;
type procmail_t;
role system_r;
')
type my_uncon_exec_t;
files_type(my_uncon_exec_t)
allow procmail_t unconfined_t : process { transition sigchld };
domain_auto_trans(procmail_t, my_uncon_exec_t, unconfined_t)
role system_r types unconfined_t;
--
Bob Nichols "NOSPAM" is really part of my email address.
Do NOT delete it.
More information about the selinux
mailing list