On Sat, 2008-12-27 at 20:04 +0100, Stefan Schulze Frielinghaus wrote: > On Sat, 2008-12-27 at 12:01 +0100, domg472 g472 wrote: > > A (executable) file is an "entrypoint" for domain transition. > > > > source domain -> executable files type -> target domain > > > > but domain transition is not default behaviour. Remember SELinux is > > least privilege > > > > 1. deny access ( default ) > > 2. run the executable file in the source domain (can_exec(source > > domain, executable files type) > > 3. Transition from a source domain to a target domain though a > > executable files type ( domain_auto_trans(source domain, executable > > files type, target domain) > > > > the unconfined domain is designed to NOT transition. unconfined_t is > > not targeted, in other words it is (for the most part) exempted from > > SELinux. > > How do you check if an entrypoint exists? Via security_check_context()? > I couldn't find any other function which could do the job. Or in general > how would you do it programmatically? What set of functions do you > recommend? security_compute_create(). See the rpm_execcon() source code in libselinux/src/rpm.c for an example, or the compute_create sample utility in libselinux/utils/compute_create.c. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
