There seem to exist additional non-transition restrictions on roles
which define when will a process be able to execute as a certain role.
For e.g. a process which runs from a login shell cannot have system_r
role. How do I list such rules?
Looking at role transition rules, a transition to system_r should be
allowed --
sesearch --role_allow | grep system_r\;
...
allow unconfined_r system_r;
...
And the sudo process runs as unconfined_r --
ps auxZ | grep sudo
system_u:unconfined_r:unconfined_t:s0 root 669 0.0 0.4 206860 3356
pts/1 S+ 10:28 0:00 sudo -r unconfined_r nano
But sudo -r system_r nano fails.
_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
