|
From: selinux-bounces@xxxxxxxxxxxxxxxxxxxxxxx
[mailto:selinux-bounces@xxxxxxxxxxxxxxxxxxxxxxx] On Behalf Of Nabeel
Moidu Hi I've got an executable file script.sh labeled
xyz_exec_t. I've also defined a domain xyz_t and added
daemon_domain(xyz_t, xyz_exec_t) in the .te file. When compiled and inserted, the file context labels
seem to be enforced correctly. Normally the executable script.sh is invoked by
the init scripts. As per the domain transition rule, I expect it show up xyz_t
as its domain in ps -efZ . But the transition does not work as expected. The
process runs as an unconfined domain. But when I add runcon in the line where the init script
invokes the executable with the domain as xyz_t, the process runs in the proper
context. Once I remove the runcon and invoke the init script, the
domain transition I applied in the custom module does not work out. Any suggestions ? NB: The system is on permissive mode and this particular
domain xyz_t has also been defined as a permissive domain. Nabeel It might help us to see the exact
rules that have been defined. Hopefully this will show something up
(thanks Dominick!): sesearch
--allow -t xyz_t | grep transition If your executable is normally
run by init scripts, it will be coming from initrc_t, not unconfined_t, which
may make a difference. Moray. “To err is human; to purr,
feline.” |
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
