I'm struggling with this.
I have MLS enabled along with a freshly relabelled, rebooted system.
I have mapped my Linux user to SELinux user staff_u and do a domain transition
via sudo.
So, here is the dumb question: how do I start httpd?
%wheel ALL=(ALL) TYPE=sysadm_t ROLE=sysadm_r NOPASSWD: ALL
[root@pluto ~]# id -Z
staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023
[root@pluto ~]# semanage login -l
Login Name SELinux User MLS/MCS Range
__default__ user_u SystemLow
robert staff_u SystemLow-SystemHigh
root root SystemLow-SystemHigh
system_u system_u SystemLow-SystemHigh
[root@pluto ~]# semanage user -l
Labeling MLS/ MLS/
SELinux User Prefix MCS Level MCS Range SELinux Roles
staff_u user SystemLow SystemLow-SystemHigh auditadm_r staff_r secadm_r sysadm_r system_r
[root@pluto ~]# service httpd start
env: /etc/init.d/httpd: Permission denied
[root@pluto ~]# secon -f /usr/sbin/httpd
user: system_u
role: object_r
type: httpd_exec_t
sensitivity: SystemLow
clearance: SystemLow
mls-range: SystemLow
Do I have to transition to some domain (newrole?) or can I be in a domain (allowed of
course) that will execute the process and then do the transition?