On 11/05/2016 08:04 PM, Dominick Grift wrote: > On 11/05/2016 07:55 PM, mm wrote: >> Hi all, >> >> I have an executable started by /bin/foo which runs confined within the >> context foo_t. >> The process loads (actually does LD_PRELOAD) bar.so which needs to >> access resources outside foo_t (actually unconfined_t). >> >> I can allow access to such resources from foo_t, but I would like to >> allow such access only for code running within bar.so, instead of the >> whole process. >> >> I have been looking in the docs, but I could not find if it is possible >> to specify a source context for shared libraries, instead of whole >> processes. >> My idea would be to define a context bar_t for code running within >> bar.so, and allow the required access (to unconfined_t) from bar_t, >> without extending access for foo_t. >> >> Makes sense? Is it possible? >> > > Makes sense, but is not possible AFAIK (not transparently anyway) I mean it makes that you would want that. >> Thanks in advance, >> M. Manfredini >> _______________________________________________ >> Selinux mailing list >> Selinux@xxxxxxxxxxxxx >> To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. >> To get help, send an email containing "help" to >> Selinux-request@xxxxxxxxxxxxx. > > -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
