Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-hardened

From: Jan V <jvulhunder@×××××.de>
To: gentoo-hardened@l.g.o
Subject: [gentoo-hardened] commands calls question
Date: Sat, 11 Feb 2006 00:17:52
Message-Id: 20060211001605.35523.qmail@web26012.mail.ukl.yahoo.com
1 Dear people,
2
3 I try to allow a daemonized python script to execute
4 the following commands out of the script.
5
6 setfilecon
7 restorecon
8 killall
9
10 That works fine if I call the commands in a python
11 script runned from the shell as sysadm_r.
12 But the daemon runs as a linux user belonging to the
13 daemon group and as well as in its own se-context.
14
15 ps aux output:
16 ------------------------------------------------------------------------
17 root [...] \_ supervise pyserv
18 pyserv [...] | \_ /usr/bin/python2.4
19 /path/to/pyserv.py
20 ------------------------------------------------------------------------
21 ps auxZ output:
22 ------------------------------------------------------------------------
23 system_u:system_r:svc_start_t [...] \_ supervise
24 pyserv
25 system_u:system_r:pyserv_t [...] | \_
26 /usr/bin/python2.4 /path/to/pyserv.py
27 ------------------------------------------------------------------------
28
29 Commands like cp/rm/rmdir are working fine when called
30 from the daemon (using pythons os-lib/-functions).
31 But how to get access to the special commands above?
32 How would you do it? What would be the most secure
33 way?
34 Can I make a domain transition to the restorecon
35 domain? If so, how without having a role for the
36 pyserv)? Which domain is responsible for the killall
37 command?
38 What I'm also curious about is, that I get no avc log
39 entries when calling restorecon out of the deamon.
40
41 Any help veryy appreciated. I would be happy too for
42 any explanation.
43 Thanks a lot!
44 Best Regards,
45 Jan
46
47
48
49
50
51
52
53 ___________________________________________________________
54 Telefonate ohne weitere Kosten vom PC zum PC: http://messenger.yahoo.de
55 --
56 gentoo-hardened@g.o mailing list
Report Message
Find on MARC Find on Google Groups