Moray, Dan, Miroslav<div><br></div><div>Thanks for your inputs. It's working now.</div><div><br></div><div>I did an sesearch and grep'd for the type_transition lines. Then checked the init scripts lables once more. </div>
<div><br></div><div>What happened was startup script files in the init.d were symlinks and the file types on those were defaulting to etc_t. I removed them and copied the init scripts . Repeated restorecon and this time they were labeled correctly and the transition also worked fine.</div>
<div><br></div><div>Nabeel<br><br><div class="gmail_quote">On Wed, Jan 25, 2012 at 10:38 PM, Daniel J Walsh <span dir="ltr"><<a href="mailto:dwalsh@redhat.com">dwalsh@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
-----BEGIN PGP SIGNED MESSAGE-----<br>
Hash: SHA1<br>
<br>
On 01/24/2012 12:16 PM, Moray Henderson wrote:<br>
> *From:*<a href="mailto:selinux-bounces@lists.fedoraproject.org">selinux-bounces@lists.fedoraproject.org</a><br>
> [mailto:<a href="mailto:selinux-bounces@lists.fedoraproject.org">selinux-bounces@lists.fedoraproject.org</a>] *On Behalf Of<br>
> *Nabeel Moidu *Subject:* Domain transition not working<br>
<div><div></div><div class="h5">><br>
><br>
><br>
> Hi<br>
><br>
><br>
><br>
> I've got an executable file script.sh labeled xyz_exec_t. I've<br>
> also defined a domain xyz_t and added daemon_domain(xyz_t,<br>
> xyz_exec_t) in the .te file.<br>
><br>
> When compiled and inserted, the file context labels seem to be<br>
> enforced correctly. Normally the executable script.sh is invoked by<br>
> the init scripts. As per the domain transition rule, I expect it<br>
> show up xyz_t as its domain in ps -efZ . But the transition does<br>
> not work as expected. The process runs as an unconfined domain.<br>
><br>
><br>
><br>
> But when I add runcon in the line where the init script invokes<br>
> the executable with the domain as xyz_t, the process runs in the<br>
> proper context.<br>
><br>
><br>
><br>
> Once I remove the runcon and invoke the init script, the domain<br>
> transition I applied in the custom module does not work out.<br>
><br>
><br>
><br>
> Any suggestions ?<br>
><br>
><br>
><br>
> NB: The system is on permissive mode and this particular domain<br>
> xyz_t has also been defined as a permissive domain.<br>
><br>
><br>
><br>
> Nabeel<br>
><br>
><br>
><br>
</div></div><div class="im">> It might help us to see the exact rules that have been defined.<br>
> Hopefully this will show something up (thanks Dominick!):<br>
><br>
><br>
><br>
> sesearch --allow -t xyz_t | greptransition<br>
><br>
><br>
><br>
> If your executable is normally run by init scripts, it will be<br>
> coming from initrc_t, not unconfined_t, which may make a<br>
> difference.<br>
><br>
><br>
><br>
><br>
><br>
> Moray.<br>
><br>
> “To err is human; to purr, feline.”<br>
><br>
><br>
><br>
</div><div class="im">> -- selinux mailing list <a href="mailto:selinux@lists.fedoraproject.org">selinux@lists.fedoraproject.org</a><br>
> <a href="https://admin.fedoraproject.org/mailman/listinfo/selinux" target="_blank">https://admin.fedoraproject.org/mailman/listinfo/selinux</a><br>
<br>
<br>
</div>Also make sure the script is on a file system that is not set nosuid.<br>
<br>
<br>
-----BEGIN PGP SIGNATURE-----<br>
Version: GnuPG v1.4.11 (GNU/Linux)<br>
Comment: Using GnuPG with Mozilla - <a href="http://enigmail.mozdev.org/" target="_blank">http://enigmail.mozdev.org/</a><br>
<br>
iEUEARECAAYFAk8gNvMACgkQrlYvE4MpobNdQgCg3LwHrco+A4NvgDfKfOwQ2fJ8<br>
M9wAl3phiUBRHilCtuwU/2Nx+0KVWuw=<br>
=fhMI<br>
-----END PGP SIGNATURE-----<br>
</blockquote></div><br><br clear="all"><div><br></div>-- <br><div dir="ltr">Thanks and Regards<br>Nabeel Moidu<br>Doha, Qatar</div><br>
</div>