I need a script invoked from procmail_t to run unconfined.
Daniel J Walsh
dwalsh at redhat.com
Mon May 6 16:40:14 UTC 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 05/02/2013 05:53 PM, Robert Nichols wrote:
> On 05/02/2013 12:58 AM, Miroslav Grepl wrote:
>> I would go with a different way and create a new domain -
>> procmail_unconfined_t and make this domain as unconfined domain.
>>
>> # cat myprocmail.te
>>
>> require{ type procmail_t; }
>>
>> type procmail_unconfined_exec_t;
>> application_executable_file(procmail_unconfined_exec_t)
>>
>> optional_policy(` type procmail_unconfined_t;
>> domain_type(procmail_unconfined_t)
>>
>> domain_entry_file(procmail_unconfined_t, procmail_unconfined_exec_t) role
>> system_r types procmail_unconfined_t;
>>
>> domtrans_pattern(procmail_t, procmail_unconfined_exec_t,
>> procmail_unconfined_t)
>>
>> allow procmail_t procmail_unconfined_exec_t:dir search_dir_perms; allow
>> procmail_t procmail_unconfined_exec_t:dir read_file_perms; allow
>> procmail_t procmail_unconfined_exec_t:file ioctl;
>>
>> init_domtrans_script(procmail_unconfined_t)
>>
>> optional_policy(` unconfined_domain(procmail_unconfined_t) ') ')
>>
>> # make -f /usr/share/selinux/devel/Makefile mytest.pp # sudo semodule -i
>> mytest.pp # chcon -t procmail_unconfined_exec_t PATH_TO_YOU_SCRIPTS
>
> Thanks, I _think_ that's basically what I ended up doing. [copied from my
> previous post]:
>
> policy_module(procmail_uncon, 1.0.18)
>
> gen_require(` type unconfined_t; type unconfined_exec_t; type procmail_t;
> role system_r; ')
>
> type my_uncon_exec_t; files_type(my_uncon_exec_t)
>
> allow procmail_t unconfined_t : process { transition sigchld };
> domain_auto_trans(procmail_t, my_uncon_exec_t, unconfined_t) role system_r
> types unconfined_t;
>
One difference between what Miroslav showed and you did, was that your new
domain is now unconfined_t and might transition to another domain. Whereas
his would not, also any confined domain that was allowed to communicate with
unconfined_t would be able t communicate with your domain. They would not in
Mirsoslav's case.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlGH3O4ACgkQrlYvE4MpobPDYgCg0pG3QjowSA7IBtO7bPWbtPE/
0DYAnixwgQGHczETRP1V5R6h7Kwpihbi
=8fXY
-----END PGP SIGNATURE-----
More information about the selinux
mailing list