how to transition a daemon to its own domain

Fri Jan 17 07:39:52 UTC 2014

I have been attempting to get my app to transition to a different domain
unsuccessfully,
what is wring with the following:

###############################TE file #############
########################################
#
# Declarations
#

require {
        type initrc_t;
}

type myapp_t;
type myapp_unit_file_t;
init_daemon_domain(myapp_t, myapp_unit_file_t);
allow initrc_t myapp_unit_file_t : file { read getattr execute open } ;
allow initrc_t   myapp_unit_file_t : file { ioctl read getattr lock execute
entrypoint open } ;
allow initrc_t myapp_t : process { transition siginh } ;

type myapp_exec_t;
files_type(myapp_exec_t);

allow initrc_t myapp_exec_t : file { read getattr execute open } ;
allow initrc_t   myapp_exec_t : file { ioctl read getattr lock execute
entrypoint open } ;
allow initrc_t myapp_t : process { transition siginh } ;

allow myapp_t self:fifo_file rw_fifo_file_perms;
allow myapp_t self:unix_stream_socket create_stream_socket_perms;

domain_use_interactive_fds(myapp_t)

#files_read_etc_files(myapp_t)

#miscfiles_read_localization(myapp_t)
#####################################################
########################END OF TE

#######################~INTERFACE#######
## <summary>policy for myapp</summary>

########################################
## <summary>
##      Execute TEMPLATE in the myapp domin.
## </summary>
## <param name="domain">
## <summary>
##      Domain allowed to transition.
## </summary>
## </param>
#
interface(`myapp_domtrans',`
        gen_require(`
                type myapp_t, myapp_exec_t;
        ')

        corecmd_search_bin($1)
        domtrans_pattern($1, myapp_exec_t, myapp_t)
##############################################
########################END OF INTERFACE#######################

and the other :

/appcl/myapp/apiservice.py                           --
gen_context(system_u:object_r:myapp_exec_t,s0)
/usr/lib/systemd/system/myapp.service                --
gen_context(system_u:object_r:myapp_unit_file_t,s0)

unfortunately it remains in  init_t   rather than  transition to mayapp_t,
which is my intention, but im wrong somewhere,  any help will be
appreciated.
here is some debug info:

# sesearch --allow -t myapp_t | grep transition
   allow initrc_t myapp_t : process { transition siginh } ;
   allow myapp_domain daemon : process transition ;

and there are no avc denials in the logs.  what do i do to correct?

----------------another question -------only for the patient---------------
For those who like reading alot here is where im going  with this:
My aim is to have the service interact over the network at a certain
unpriviledged port, and i can interact with it  over some REST interface,
and it can call some other programs with untrusted data an give back
results.
So far i was able to isolate different proceses that are launched by the
app from each other by using  mcs and using  runcon to set the level,
unfortunately everything is still running as
system_u:system_r:init_t:s0:cX,cY,    how can i have the child process run
with lower selinux priviledges?  like maybe :
system_u:system_r:sandbox_t:s0:cX,cY,
or another equivalent of sandbox? if i try
system_u:system_r:sandbox_t:s0:cX,cY  i get
invalid context error.

Jiun
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/selinux/attachments/20140117/e7922e63/attachment.html>