Got it, thanks. Ted On Tue, May 19, 2015 at 11:20 AM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote: > On 05/19/2015 11:48 AM, Ted Toth wrote: >> I've got a process that runs at SystemHigh who's type has lots of mac >> privileges call it x_t that execs (calling fork, setexeccon and then >> execv) other processes in a less privileged type call it y_t and at >> 'lower' levels. Between the fork and exec I also close all of the file >> descriptor 0 to maxfd. The issue is that there are MLS constraint AVCs >> generated for the y_t 'use' access of the fd for ld.so because it is >> labeled x_t:SystemHigh. Since I did the setexeccon to y_t I'd have >> thought that ld.so would have been opened as y_t. What am I missing >> here? > > Kernel opens ld.so before the credential change, e.g. see: > http://marc.info/?l=linux-security-module&m=130339623211102&w=2 > > There were patches floated to change that behavior but it was > controversial and would affect user-visible behavior so it would at > least need some kind of compatibility switch. > > I think you either have to allow it or have your privileged process > first invoke a statically linked "gate" executable that then invokes the > real program so that ld.so is re-opened in the right context. > > > > _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
