On Tue, 2009-06-16 at 08:49 -0400, Daniel J Walsh wrote: > On 06/16/2009 08:32 AM, Daniel J Walsh wrote: > > Unconfined processes tend to stay unconfined. That is what uses expect, > > telling them that they are executing an uconfined process that suddenly > > becomes confined, seems wrong to them. That being said, you can end up > > with mislabeled files because of this. > > > > So > > > > > > unconfined_t -> squid_exec_t -> unconfined_t > > > > But unconfined processes starting init scripts have a transition > > > > unconfined_t -> initrc_exec_t -> initrc_t -> squid_exec_t -> squid_t > > > > So any time you are using a confined process you should use the init > > script to start them, otherwise you could get mislabeled files. > > > I also just wrote a blog on this. > > http://danwalsh.livejournal.com/29041.html Hmm...when did this change? It used to be the case that a domain transition was also defined directly from unconfined_t to the daemon domain when running the daemon binary, precisely because users and scriptlets sometimes do that. -- Stephen Smalley National Security Agency -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
