-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Stefan Schulze Frielinghaus wrote: > Hello everyone, > > I would like to know the policy/logic for transition of e.g. a > Perl-Script. If I write a daemon in Perl, label the file as > daemon_exec_t and execute it using the initrc_t, then the daemon runs > under the daemon_t domain. This SELinux behavior is very convenient. > > I would like to know when and how does a transition for such a script > occur? > > For example, create a /tmp/test.pl and run it. The file is labeled as > > unconfined_u:object_r:user_tmp_t:s0 > > but runs as > > unconfined_u:unconfined_r:unconfined_t:s0 > > Therefore, no type transition occurred. Can someone give me a hind? > > cheers, > Stefan > > > -- > This message was distributed to subscribers of the selinux mailing list. > If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with > the words "unsubscribe selinux" without quotes as the message. The default policy for unconfined_t is that it can execute any file type without a transition. So a unconfined_t executing a user_tmp_t would stay unconfined_t. Similarly initrc_t can execute most bin_t files without a transition, so initrc_t executing files in a bin directory with the default labeling will stay bin_t. Now if you define a file context for a daemon, daemon_exec_t. And you define a domain type for this daemon daemon_t. You can call an interface init_daemon_domain(daemon_t, daemon_exec_t) Which will cause initrc_t to transition to daemon_t when it executes files labeled daemon_exec_t. This transition happens when the executable starts. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAklWDzYACgkQrlYvE4MpobMgXACeKGec0qzW2D/W2a2FfTtk2MMG Fm4AnisJ+7w97Q6eepCyGdUc+cOContp =Zsgr -----END PGP SIGNATURE----- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
