Clarkson, Mike R (US SSA) wrote:
I have my policy set up to do a domain transition from the datalabeler_t domain to the import_t domain when the datalabeler_t domain executes the SimulatedImport (type import_exec_t) executable. This works fine until I execute the SimulatedImport executable using a runcon command: "runcon -l s1 SimulatedImport" The intent is to start the import_t domain at the s1 level, but the runcon command prevents the default domain transition from occurring. I found I had to use the following to force the domain transition while also setting the level of the process: "runcon -t import_t -l s1 SimulatedImport" Can anyone tell me why I have to explicitly set the type to get the domain transition to occur? The policy is set up to do the domain transition by default when the ImportExecutable is executed in the datalabeler_t domain, and this works fine when I don't use the runcon command, but then the import_t domain is not running at the level that I want. Thanks, Mike -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
You might get what you want to happen by executing runcon -l s1 sh -- -c SimulatedImport -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list