On 04/03/2015 09:22 AM, Miroslav Grepl wrote: > On 04/01/2015 05:51 PM, W. Michael Petullo wrote: >> Is it possible to cause a process to transition to a new domain but only >> if it reads a file with a certain label? I am interested in imposing >> this by modifying the SELinux policy only, that is, not requiring any >> action on the part of the process itself. You could think of this as a >> rough analog to HiStar and others' "tainting". >> > SELinux process transition happens on execve() calling. Not sure what > your point is here? > Miroslav is correct there is not way to do what you want with SELinux. Transitions happen on exec, or a process can attempt to change its own label, if allowed by policy. Those are the only ways for a process to get a label. -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
