1 |
Dear people, |
2 |
|
3 |
I try to allow a daemonized python script to execute |
4 |
the following commands out of the script. |
5 |
|
6 |
setfilecon |
7 |
restorecon |
8 |
killall |
9 |
|
10 |
That works fine if I call the commands in a python |
11 |
script runned from the shell as sysadm_r. |
12 |
But the daemon runs as a linux user belonging to the |
13 |
daemon group and as well as in its own se-context. |
14 |
|
15 |
ps aux output: |
16 |
------------------------------------------------------------------------ |
17 |
root [...] \_ supervise pyserv |
18 |
pyserv [...] | \_ /usr/bin/python2.4 |
19 |
/path/to/pyserv.py |
20 |
------------------------------------------------------------------------ |
21 |
ps auxZ output: |
22 |
------------------------------------------------------------------------ |
23 |
system_u:system_r:svc_start_t [...] \_ supervise |
24 |
pyserv |
25 |
system_u:system_r:pyserv_t [...] | \_ |
26 |
/usr/bin/python2.4 /path/to/pyserv.py |
27 |
------------------------------------------------------------------------ |
28 |
|
29 |
Commands like cp/rm/rmdir are working fine when called |
30 |
from the daemon (using pythons os-lib/-functions). |
31 |
But how to get access to the special commands above? |
32 |
How would you do it? What would be the most secure |
33 |
way? |
34 |
Can I make a domain transition to the restorecon |
35 |
domain? If so, how without having a role for the |
36 |
pyserv)? Which domain is responsible for the killall |
37 |
command? |
38 |
What I'm also curious about is, that I get no avc log |
39 |
entries when calling restorecon out of the deamon. |
40 |
|
41 |
Any help veryy appreciated. I would be happy too for |
42 |
any explanation. |
43 |
Thanks a lot! |
44 |
Best Regards, |
45 |
Jan |
46 |
|
47 |
|
48 |
|
49 |
|
50 |
|
51 |
|
52 |
|
53 |
___________________________________________________________ |
54 |
Telefonate ohne weitere Kosten vom PC zum PC: http://messenger.yahoo.de |
55 |
-- |
56 |
gentoo-hardened@g.o mailing list |