On Fri, 2008-01-04 at 14:26 -0800, Clarkson, Mike R (US SSA) wrote: > Is there someplace I can go to find a description of the libselinux API? not sure, i just read the code :) the fedora libselinux-devel package provides man pages for most (maybe all?) of the interfaces. > > Is there a way to change the context of an existing process, without > having to execute a new process? yes, the permission is dyntransition in the process class. it is STRONGLY, let me say that again VERY STRONGLY, suggested that you don't make use of this facility. Basically you lose all seperation between those 2 domains. You don't have any assurance that the process before the transition didn't get hacked/corrupted/bugged and is now transitioning to a new domain but able to do the wrong things (or sometimes even worse not transition to the new domain at all) I'm not sure what the rationale was to put it in originally but please just find a way to do it on an execve boundary. -Eric -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
