I need a script invoked from procmail_t to run unconfined.

Daniel J Walsh dwalsh at redhat.com
Mon May 6 16:40:14 UTC 2013 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/02/2013 05:53 PM, Robert Nichols wrote:
> On 05/02/2013 12:58 AM, Miroslav Grepl wrote:
>> I would go with a different way and create a new domain -
>> procmail_unconfined_t and make this domain as unconfined domain.
>> 
>> # cat myprocmail.te
>> 
>> require{ type procmail_t; }
>> 
>> type procmail_unconfined_exec_t; 
>> application_executable_file(procmail_unconfined_exec_t)
>> 
>> optional_policy(` type procmail_unconfined_t; 
>> domain_type(procmail_unconfined_t)
>> 
>> domain_entry_file(procmail_unconfined_t, procmail_unconfined_exec_t) role
>> system_r types procmail_unconfined_t;
>> 
>> domtrans_pattern(procmail_t, procmail_unconfined_exec_t, 
>> procmail_unconfined_t)
>> 
>> allow procmail_t procmail_unconfined_exec_t:dir search_dir_perms; allow
>> procmail_t procmail_unconfined_exec_t:dir read_file_perms; allow
>> procmail_t procmail_unconfined_exec_t:file ioctl;
>> 
>> init_domtrans_script(procmail_unconfined_t)
>> 
>> optional_policy(` unconfined_domain(procmail_unconfined_t) ') ')
>> 
>> # make -f /usr/share/selinux/devel/Makefile mytest.pp # sudo semodule -i
>> mytest.pp # chcon -t procmail_unconfined_exec_t PATH_TO_YOU_SCRIPTS
> 
> Thanks, I _think_ that's basically what I ended up doing. [copied from my
> previous post]:
> 
> policy_module(procmail_uncon, 1.0.18)
> 
> gen_require(` type unconfined_t; type unconfined_exec_t; type procmail_t; 
> role system_r; ')
> 
> type my_uncon_exec_t; files_type(my_uncon_exec_t)
> 
> allow procmail_t unconfined_t : process { transition sigchld }; 
> domain_auto_trans(procmail_t, my_uncon_exec_t, unconfined_t) role system_r
> types unconfined_t;
> 
One difference between what Miroslav showed and you did, was that your new
domain is now unconfined_t and might transition to another domain.  Whereas
his would not, also any confined domain that was allowed to communicate with
unconfined_t would be able t communicate with your domain.  They would not in
Mirsoslav's case.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlGH3O4ACgkQrlYvE4MpobPDYgCg0pG3QjowSA7IBtO7bPWbtPE/
0DYAnixwgQGHczETRP1V5R6h7Kwpihbi
=8fXY
-----END PGP SIGNATURE-----

More information about the selinux mailing list