On Wed, 2013-08-21 at 09:05 -0500, Dan Pou wrote: > > Some things ( but i am not sure ): > > > > The target role needs to be associated to the identity (probably already > > done) > > The target role needs to be associated to the target domain (probably > > already done) > > The source role needs to be allowed to manually change to the target > > role (probably already done) > > > > The source domain needs various permissions to change identity, role, > > and set mls range (policy constraints: mlsprocsetsl > > can_change_process_identity can_change_process_role ) > > The target security level must be within range of the selinux identity > > associated level, range) > > > > You probably need to specify the entrypoint to the target domain > > You probably need to allow the actual transition permission from source > > domain to target domain (allow my_daemon_t user_t:process transition) > > Wouldn't these settings be associated with AVC denials? I am running > Permissive and have no denials showing up. > I am not sure but here is what i think: The function uses the policy to see if theres a valid path to the target context by querying the policy used for calculation So if the policy does not define a path the function will fail/abort, thus it wont try it because it already determined that it wouldnt work anyways. So you wont see ant avc denials because it didnt even try it > > > > As far as i know, the function calculates if what you specified is valid > > first > > > > I do not think you need a automatic role transition rule (it changes > > manually instead i believe) > > I thought you still needed to specify a transition with setexeccon. Is > this not true? I am not sure, but again, i believe that no automatic role transition is needed -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
