On Tue, 2009-06-16 at 08:49 -0400, Daniel J Walsh wrote:
On 06/16/2009 08:32 AM, Daniel J Walsh wrote:
> Unconfined processes tend to stay unconfined. That is what uses expect,
> telling them that they are executing an uconfined process that suddenly
> becomes confined, seems wrong to them. That being said, you can end up
> with mislabeled files because of this.
>
> So
>
>
> unconfined_t -> squid_exec_t -> unconfined_t
>
> But unconfined processes starting init scripts have a transition
>
> unconfined_t -> initrc_exec_t -> initrc_t -> squid_exec_t -> squid_t
>
> So any time you are using a confined process you should use the init
> script to start them, otherwise you could get mislabeled files.
I also just wrote a blog on this.
http://danwalsh.livejournal.com/29041.html
Hmm...when did this change? It used to be the case that a domain
transition was also defined directly from unconfined_t to the daemon
domain when running the daemon binary, precisely because users and
scriptlets sometimes do that.
--
Stephen Smalley
National Security Agency