On 07/31/2009 08:09 AM, Sebastian Pfaff wrote:
> hello,
>
> when i start sleep(1) as user_t f11 with mls policy does this:
>
> [root@localhost ~]# sesearch --allow -s user_t -t bin_t
> Found 3 semantic av rules:
> allow user_t bin_t : file { ioctl read getattr lock execute
> entrypoint open } ;
> ...
>
> and this:
>
> [root@localhost ~]# sesearch --allow -s user_t -c process
> Found 24 semantic av rules:
> ...
> allow user_t user_t : process { fork transition sigchld sigkill
> sigstop signull signal ptrace getsched setsched getsession getpgid
> setpgid getcap setcap share getattr setfscreate noatsecure siginh
> rlimitinh dyntransition setkeycreate setsockcreate } ;
>
> ...
>
> it seems that user_t transitions to itself. Why not use
> execute_no_trans? Like it is handel in f10 targeted. Has this "style"
> any deeper sense?
>
> --
> Sebastian Pfaff
>
>
>
> PS: No execute_no_trans, look here:
>
> [root@localhost ~]# sesearch --allow -s user_t -t bin_t -p execute_no_trans
>
> [root@localhost ~]# echo $?
> 0
>
>
>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx
> with
> the words "unsubscribe selinux" without quotes as the message.
I forget exactly why, but some tool is doing a setcon/setexecon to the current context
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
