[prev in list] [next in list] [prev in thread] [next in thread]
List: fedora-selinux-list
Subject: Re: I need a script invoked from procmail_t to run unconfined.
From: Daniel J Walsh <dwalsh () redhat ! com>
Date: 2013-05-07 14:10:03
Message-ID: 51890B3B.70107 () redhat ! com
[Download RAW message or body]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 05/07/2013 09:42 AM, Robert Nichols wrote:
> On 05/06/2013 11:40 AM, Daniel J Walsh wrote:
>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>>
>> On 05/02/2013 05:53 PM, Robert Nichols wrote:
>>> On 05/02/2013 12:58 AM, Miroslav Grepl wrote:
>>>> I would go with a different way and create a new domain -
>>>> procmail_unconfined_t and make this domain as unconfined domain.
>>>>
>>>> # cat myprocmail.te
>>>>
>>>> require{ type procmail_t; }
>>>>
>>>> type procmail_unconfined_exec_t;
>>>> application_executable_file(procmail_unconfined_exec_t)
>>>>
>>>> optional_policy(` type procmail_unconfined_t;
>>>> domain_type(procmail_unconfined_t)
>>>>
>>>> domain_entry_file(procmail_unconfined_t, procmail_unconfined_exec_t)
>>>> role system_r types procmail_unconfined_t;
>>>>
>>>> domtrans_pattern(procmail_t, procmail_unconfined_exec_t,
>>>> procmail_unconfined_t)
>>>>
>>>> allow procmail_t procmail_unconfined_exec_t:dir search_dir_perms;
>>>> allow procmail_t procmail_unconfined_exec_t:dir read_file_perms;
>>>> allow procmail_t procmail_unconfined_exec_t:file ioctl;
>>>>
>>>> init_domtrans_script(procmail_unconfined_t)
>>>>
>>>> optional_policy(` unconfined_domain(procmail_unconfined_t) ') ')
>>>>
>>>> # make -f /usr/share/selinux/devel/Makefile mytest.pp # sudo semodule
>>>> -i mytest.pp # chcon -t procmail_unconfined_exec_t
>>>> PATH_TO_YOU_SCRIPTS
>>>
>>> Thanks, I _think_ that's basically what I ended up doing. [copied from
>>> my previous post]:
>>>
>>> policy_module(procmail_uncon, 1.0.18)
>>>
>>> gen_require(` type unconfined_t; type unconfined_exec_t; type
>>> procmail_t; role system_r; ')
>>>
>>> type my_uncon_exec_t; files_type(my_uncon_exec_t)
>>>
>>> allow procmail_t unconfined_t : process { transition sigchld };
>>> domain_auto_trans(procmail_t, my_uncon_exec_t, unconfined_t) role
>>> system_r types unconfined_t;
>>>
>> One difference between what Miroslav showed and you did, was that your
>> new domain is now unconfined_t and might transition to another domain.
>> Whereas his would not, also any confined domain that was allowed to
>> communicate with unconfined_t would be able t communicate with your
>> domain. They would not in Mirsoslav's case.
>
> Then I'll definitely stick with what I've got since it makes everything
> work the same way it does when I invoke procmail from the command line.
> procmail transitions to procmail_t only when invoked from certain other
> confined domains, and that is a large part of what was making my life
> difficult in testing. Now, my script runs the same whether procmail was
> running in domain procmail_t or unconfined_t.
>
Ok, just wanted you to know the differences.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlGJCzsACgkQrlYvE4MpobOZ8wCg5P4gvaCaMrNDbhisxVQqsFj4
BzAAoMrP+IhlXQaEs9GVi27PLDzm6y2J
=UI0r
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic