I've got a process that runs at SystemHigh who's type has lots of mac privileges call it x_t that execs (calling fork, setexeccon and then execv) other processes in a less privileged type call it y_t and at 'lower' levels. Between the fork and exec I also close all of the file descriptor 0 to maxfd. The issue is that there are MLS constraint AVCs generated for the y_t 'use' access of the fd for ld.so because it is labeled x_t:SystemHigh. Since I did the setexeccon to y_t I'd have thought that ld.so would have been opened as y_t. What am I missing here? Ted _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
