Re: runcon cmd preventing default domain transition

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Clarkson, Mike R (US SSA) wrote:
I have my policy set up to do a domain transition from the datalabeler_t
domain to the import_t domain when the datalabeler_t domain executes the
SimulatedImport (type import_exec_t) executable. This works fine until I
execute the SimulatedImport executable using a runcon command: "runcon
-l s1 SimulatedImport"

The intent is to start the import_t domain at the s1 level, but the
runcon command prevents the default domain transition from occurring. I
found I had to use the following to force the domain transition while
also setting the level of the process: "runcon -t import_t -l s1
SimulatedImport"

Can anyone tell me why I have to explicitly set the type to get the
domain transition to occur? The policy is set up to do the domain
transition by default when the ImportExecutable is executed in the
datalabeler_t domain, and this works fine when I don't use the runcon
command, but then the import_t domain is not running at the level that I
want.

Thanks,
  Mike


--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
runcon is doing a setexeccon which will override the transition.

So the code does a getprevcon to get the context of the process running runcon. It then changes the componant of the security context you selected and does a setexeccon.

So if I am running syadm_u:sysadm_r:systadm_t:s0 and  I run
runcon -l s1 SimulatedImport

It will attempt a setexeccon("sysadm_u:sysadm_r:sysadm_t:s1") and then exec the app. No transition will happen.


--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux