On 04/01/2014 09:59 AM, Kim Lawson-Jenkins wrote: > Hi, > > > > I’m pretty sure my questions are basic SELinux 101 but I’m having a > problem confining an application when a user runs the application > directly. On our system I have removed the unconfined domain and > unconfined user. When the system initializes the confined applications > run in the correct confined domains. However, if I use ssh to access > the server, stop an application, and then start the application again, > the application will run with the label sshd_t. I haven’t tried > starting a confined application from a local console but I’ll probably > encounter a similar problem. How should I modify the policy to allow a > confined user to execute an application but also have the application > run in the application’s confined domain? If it is running in sshd_t, that suggests a bug in your policy that prevented sshd from transitioning into a user domain. When you removed the unconfined domain and user, did you also update your semanage login and semanage user mappings so that no user is still being mapped to unconfined_u / unconfined_r?
