On Mon, 2014-01-20 at 01:42 +0300, jiun bookworm wrote: > Dominick, > thanks but you may have misunderstood my question, its not the daemon > that is confined to one category > its the child processes that it spawns, previously when in init_t > the app could spawn processes and assign > > them categories, now it can not, when running under myapp_t, what > makes init_t or other types able to > support mcs and myapp_t can not? There are two options: 1. you run the parent with the full mcs range 2. you override mcs constraints for the parent using the applicable mcs type attributes the latter is why init is allowed to do it but i recommend the former for your parent process -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
