Domain transition not working

Wed Feb 1 09:02:49 UTC 2012

Moray, Dan, Miroslav

Thanks for your inputs. It's working now.

I did an sesearch and grep'd for the type_transition lines. Then checked
the init scripts lables once more.

What happened was startup script files in the init.d were symlinks and the
file types on those were defaulting to etc_t. I removed them and copied the
init scripts . Repeated restorecon and this time they were labeled
correctly and the transition also worked fine.

Nabeel

On Wed, Jan 25, 2012 at 10:38 PM, Daniel J Walsh <dwalsh at redhat.com> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 01/24/2012 12:16 PM, Moray Henderson wrote:
> > *From:*selinux-bounces at lists.fedoraproject.org
> > [mailto:selinux-bounces at lists.fedoraproject.org] *On Behalf Of
> > *Nabeel Moidu *Subject:* Domain transition not working
> >
> >
> >
> > Hi
> >
> >
> >
> > I've got an executable file script.sh labeled xyz_exec_t. I've
> > also defined a domain xyz_t  and added daemon_domain(xyz_t,
> > xyz_exec_t) in the .te file.
> >
> > When compiled and inserted, the file context labels seem to be
> > enforced correctly. Normally the executable script.sh is invoked by
> > the init scripts. As per the domain transition rule, I expect it
> > show up xyz_t as its domain in ps -efZ . But the transition does
> > not work as expected. The process runs as an unconfined domain.
> >
> >
> >
> > But when I add runcon in the line where the init script invokes
> > the executable with the domain as xyz_t, the process runs in the
> > proper context.
> >
> >
> >
> > Once I remove the runcon and invoke the init script, the domain
> > transition I applied in the custom module does not work out.
> >
> >
> >
> > Any suggestions ?
> >
> >
> >
> > NB: The system is on permissive mode and this particular domain
> > xyz_t has also been defined as a permissive domain.
> >
> >
> >
> > Nabeel
> >
> >
> >
> > It might help us to see the exact rules that have been defined.
> > Hopefully this will show something up (thanks Dominick!):
> >
> >
> >
> > sesearch --allow -t xyz_t | greptransition
> >
> >
> >
> > If your executable is normally run by init scripts, it will be
> > coming from initrc_t, not unconfined_t, which may make a
> > difference.
> >
> >
> >
> >
> >
> > Moray.
> >
> > “To err is human; to purr, feline.”
> >
> >
> >
> > -- selinux mailing list selinux at lists.fedoraproject.org
> > https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
> Also make sure the script is on a file system that is not set nosuid.
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEUEARECAAYFAk8gNvMACgkQrlYvE4MpobNdQgCg3LwHrco+A4NvgDfKfOwQ2fJ8
> M9wAl3phiUBRHilCtuwU/2Nx+0KVWuw=
> =fhMI
> -----END PGP SIGNATURE-----
>

-- 
Thanks and Regards
Nabeel Moidu
Doha, Qatar
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/selinux/attachments/20120201/a476529e/attachment.html>