Clarkson, Mike R (US SSA) wrote:
I have my policy set up to do a domain transition from the datalabeler_t
domain to the import_t domain when the datalabeler_t domain executes the
SimulatedImport (type import_exec_t) executable. This works fine until I
execute the SimulatedImport executable using a runcon command: "runcon
-l s1 SimulatedImport"
The intent is to start the import_t domain at the s1 level, but the
runcon command prevents the default domain transition from occurring. I
found I had to use the following to force the domain transition while
also setting the level of the process: "runcon -t import_t -l s1
SimulatedImport"
Can anyone tell me why I have to explicitly set the type to get the
domain transition to occur? The policy is set up to do the domain
transition by default when the ImportExecutable is executed in the
datalabeler_t domain, and this works fine when I don't use the runcon
command, but then the import_t domain is not running at the level that I
want.
Thanks,
Mike
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
runcon is doing a setexeccon which will override the transition.
So the code does a getprevcon to get the context of the process running
runcon. It then changes the componant of the security context you
selected and does a setexeccon.
So if I am running syadm_u:sysadm_r:systadm_t:s0 and I run
runcon -l s1 SimulatedImport
It will attempt a setexeccon("sysadm_u:sysadm_r:sysadm_t:s1") and then
exec the app.
No transition will happen.
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list