On 11/05/2016 02:55 PM, mm wrote: > Hi all, > > I have an executable started by /bin/foo which runs confined within the > context foo_t. > The process loads (actually does LD_PRELOAD) bar.so which needs to > access resources outside foo_t (actually unconfined_t). > > I can allow access to such resources from foo_t, but I would like to > allow such access only for code running within bar.so, instead of the > whole process. > > I have been looking in the docs, but I could not find if it is possible > to specify a source context for shared libraries, instead of whole > processes. > My idea would be to define a context bar_t for code running within > bar.so, and allow the required access (to unconfined_t) from bar_t, > without extending access for foo_t. > > Makes sense? Is it possible? I understand what you are saying but it wouldn't be secure and it is not possible. Instead, run bar.so in a separate program/process and have them communicate over an IPC mechanism. _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
