-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/24/2012 12:16 PM, Moray Henderson wrote:
*From:*selinux-bounces@lists.fedoraproject.org
[mailto:selinux-bounces@lists.fedoraproject.org] *On Behalf Of
*Nabeel Moidu *Subject:* Domain transition not working
Hi
I've got an executable file script.sh labeled xyz_exec_t. I've
also defined a domain xyz_t and added daemon_domain(xyz_t,
xyz_exec_t) in the .te file.
When compiled and inserted, the file context labels seem to be
enforced correctly. Normally the executable script.sh is invoked by
the init scripts. As per the domain transition rule, I expect it
show up xyz_t as its domain in ps -efZ . But the transition does
not work as expected. The process runs as an unconfined domain.
But when I add runcon in the line where the init script invokes
the executable with the domain as xyz_t, the process runs in the
proper context.
Once I remove the runcon and invoke the init script, the domain
transition I applied in the custom module does not work out.
Any suggestions ?
NB: The system is on permissive mode and this particular domain
xyz_t has also been defined as a permissive domain.
Nabeel
It might help us to see the exact rules that have been defined.
Hopefully this will show something up (thanks Dominick!):
sesearch --allow -t xyz_t | greptransition
If your executable is normally run by init scripts, it will be
coming from initrc_t, not unconfined_t, which may make a
difference.
Moray.
“To err is human; to purr, feline.”
-- selinux mailing list selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
Also make sure the script is on a file system that is not set nosuid.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla -
http://enigmail.mozdev.org/
iEUEARECAAYFAk8gNvMACgkQrlYvE4MpobNdQgCg3LwHrco+A4NvgDfKfOwQ2fJ8
M9wAl3phiUBRHilCtuwU/2Nx+0KVWuw=
=fhMI
-----END PGP SIGNATURE-----