On 06/22/2015 08:17 PM, Stephen Smalley wrote: > On 06/22/2015 02:08 PM, Dominick Grift wrote: >> On Mon, Jun 22, 2015 at 06:07:20PM +0200, Miroslav Grepl wrote: >> >>> >>> In Fedora, we have unconfined_service_t domain for unconfined services >>> started by init. So there is init_t @bin_t -> unconfined_service_t and >>> we get op=security_bounded_transition for init_t against >>> unconfined_service_t. But of course it is not going to work with >>> >>> typebounds init_t unconfined_service_t; >>> >>> because there is >>> >>> # <audit-1401> op=security_compute_av reason=bounds >>> scontext=system_u:system_r:unconfined_service_t:s0 >>> tcontext=system_u:object_r:bin_t:s0 tclass=file perms=entrypoint >>> >>> So this logic breaks our concept with unconfined_service_t. >>> >> >> What is running in the unconfined_service_t domain in that event? > > Nothing at the point of that message. The message indicates a bounds > failure, which will then cause the kernel to fall back to the old > context if it was an automatic transition, or fail the exec with -EPERM > if it was explicitly requested via setexeccon(). > Please, forget about it. It works as expected. Sorry for the noise. > > _______________________________________________ > Selinux mailing list > Selinux@xxxxxxxxxxxxx > To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. > To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx. > -- Miroslav Grepl Senior Software Engineer, SELinux Solutions Red Hat, Inc. _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
