2015-05-18 21:33 GMT+02:00 Stephen Smalley <sds@xxxxxxxxxxxxx>:
You don't need a C program; you just need to make sure the scripts are
executable and directly invoke them rather than calling them via bash.
Then they are passed to execve() and the kernel will set up the domain
transition before invoking bash.
I nevertheless wrote a simple one, and in deed it worked, transitioned to the correct context.
In case of the scripts, invoking them directly did not help however.
I have tried calling them via bash, a properly labeled copy of bash, tried running them normally, as a shell scripts, with bash (on the shebang), with properly labeled copy of bash (the shebang pointed to it), in none of the cases did the second script (with the label of syslogd_exec_t) end up as syslogd_t. The script was executable of course in all of the cases.
I have tried calling them via bash, a properly labeled copy of bash, tried running them normally, as a shell scripts, with bash (on the shebang), with properly labeled copy of bash (the shebang pointed to it), in none of the cases did the second script (with the label of syslogd_exec_t) end up as syslogd_t. The script was executable of course in all of the cases.
As for the customer's system/scenario, we're still waiting for their answer. I will get back to you when they reply to our questions, or if we manage to track down the problem on our own.
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
