On Thu, Apr 30, 2020 at 2:18 AM Ian Pilcher <arequipeno@xxxxxxxxx> wrote: > > On 4/29/20 6:29 PM, Ian Pilcher wrote: > > On 4/29/20 3:04 PM, Stephen Smalley wrote: > >> On Wed, Apr 29, 2020 at 3:25 PM Ian Pilcher <arequipeno@xxxxxxxxx> wrote: > >>> Slight update for posterity. It looks like it's possible to use a > >>> symbolic link, so ... > >> > >> I don't see how that could work. Symbolic link should be resolved and > >> its > >> context only ever used to determine whether you could follow/read it. > >> Not > >> for the execute check. > >> > > > > I can't speak to how it works, but it does work on CentOS 7.8. I > > suppose it's entirely possible that it would fail on a more up-to-date > > distribution. > > > > I was incorrect. It doesn't work. > > The service does start, but it's running as unconfined_service_t (which > makes even less sense to me). So back to making an actual copy of the > interpreter. That makes sense to me. The targeted policy in CentOS defaults to transitioning to unconfined_service_t for services that lack a specific domain/policy. The context of the symbolic link is irrelevant for the execve because the link is read and resolved to the regular executable file to which it refers before we even look at its context for transition purposes, just as with setuid/setgid bits or file capabilities.
