-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/24/2012 12:16 PM, Moray Henderson wrote: > *From:*selinux-bounces@xxxxxxxxxxxxxxxxxxxxxxx > [mailto:selinux-bounces@xxxxxxxxxxxxxxxxxxxxxxx] *On Behalf Of > *Nabeel Moidu *Subject:* Domain transition not working > > > > Hi > > > > I've got an executable file script.sh labeled xyz_exec_t. I've > also defined a domain xyz_t and added daemon_domain(xyz_t, > xyz_exec_t) in the .te file. > > When compiled and inserted, the file context labels seem to be > enforced correctly. Normally the executable script.sh is invoked by > the init scripts. As per the domain transition rule, I expect it > show up xyz_t as its domain in ps -efZ . But the transition does > not work as expected. The process runs as an unconfined domain. > > > > But when I add runcon in the line where the init script invokes > the executable with the domain as xyz_t, the process runs in the > proper context. > > > > Once I remove the runcon and invoke the init script, the domain > transition I applied in the custom module does not work out. > > > > Any suggestions ? > > > > NB: The system is on permissive mode and this particular domain > xyz_t has also been defined as a permissive domain. > > > > Nabeel > > > > It might help us to see the exact rules that have been defined. > Hopefully this will show something up (thanks Dominick!): > > > > sesearch --allow -t xyz_t | greptransition > > > > If your executable is normally run by init scripts, it will be > coming from initrc_t, not unconfined_t, which may make a > difference. > > > > > > Moray. > > “To err is human; to purr, feline.” > > > > -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux Also make sure the script is on a file system that is not set nosuid. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEUEARECAAYFAk8gNvMACgkQrlYvE4MpobNdQgCg3LwHrco+A4NvgDfKfOwQ2fJ8 M9wAl3phiUBRHilCtuwU/2Nx+0KVWuw= =fhMI -----END PGP SIGNATURE----- -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
