On 06/22/2015 02:08 PM, Dominick Grift wrote: > On Mon, Jun 22, 2015 at 06:07:20PM +0200, Miroslav Grepl wrote: > >> >> In Fedora, we have unconfined_service_t domain for unconfined services >> started by init. So there is init_t @bin_t -> unconfined_service_t and >> we get op=security_bounded_transition for init_t against >> unconfined_service_t. But of course it is not going to work with >> >> typebounds init_t unconfined_service_t; >> >> because there is >> >> # <audit-1401> op=security_compute_av reason=bounds >> scontext=system_u:system_r:unconfined_service_t:s0 >> tcontext=system_u:object_r:bin_t:s0 tclass=file perms=entrypoint >> >> So this logic breaks our concept with unconfined_service_t. >> > > What is running in the unconfined_service_t domain in that event? Nothing at the point of that message. The message indicates a bounds failure, which will then cause the kernel to fall back to the old context if it was an automatic transition, or fail the exec with -EPERM if it was explicitly requested via setexeccon(). _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
