On 11/05/2016 07:55 PM, mm wrote: > Hi all, > > I have an executable started by /bin/foo which runs confined within the > context foo_t. > The process loads (actually does LD_PRELOAD) bar.so which needs to > access resources outside foo_t (actually unconfined_t). > > I can allow access to such resources from foo_t, but I would like to > allow such access only for code running within bar.so, instead of the > whole process. > > I have been looking in the docs, but I could not find if it is possible > to specify a source context for shared libraries, instead of whole > processes. > My idea would be to define a context bar_t for code running within > bar.so, and allow the required access (to unconfined_t) from bar_t, > without extending access for foo_t. > > Makes sense? Is it possible? > Makes sense, but is not possible AFAIK (not transparently anyway) > Thanks in advance, > M. Manfredini > _______________________________________________ > Selinux mailing list > Selinux@xxxxxxxxxxxxx > To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. > To get help, send an email containing "help" to > Selinux-request@xxxxxxxxxxxxx. -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
