I'm having trouble getting exim to consistently transition domains so I
can work on a new policy. I'm probably overlooking something simple
here, but I can't figure out what.
I started with the targeted policy on an up to date FC3 system. In my
new exim.te file, I have a daemon_domain(exim, ...) declaration, which
yields (among other things) the following in the policy.conf file when I
run make:
type exim_exec_t, file_type, sysadmfile, exec_type;
allow initrc_t exim_exec_t:file { { read getattr lock execute ioctl }
execute_no_trans };
allow sysadm_t exim_exec_t:file { { read getattr lock execute ioctl }
execute_no_trans };
allow initrc_t exim_exec_t:file { read { getattr execute } };
allow exim_t exim_exec_t:file { read getattr lock execute ioctl };
allow exim_t exim_exec_t:file entrypoint;
type_transition initrc_t exim_exec_t:process exim_t;
The executable is correctly labeled:
-rwsr-xr-x root root system_u:object_r:exim_exec_t /usr/sbin/exim
I have run 'make reload', and /var/log/messages shows that the new
policy file was loaded. However, when I run exim it still always ends
up in the unconfined_t domain. It doesn't matter if I use 'service exim
restart', 'run_init service exim restart', or start exim by hand.
If I do a 'make fixfiles' then everything starts working as expected,
and all three ways of starting exim cause the transition to occur into
the exim_t domain.
Perhaps this is because I forcefully (rpm -U --force) reinstalled the
selinux-policy-targeted RPM the other night after I finished testing
things? Something's definitely fubar on my system.
David
signature.asc
Description: This is a digitally signed message part
|
