Re: Change process domain upon reading a file
On 04/03/2015 09:22 AM, Miroslav Grepl wrote:
On 04/01/2015 05:51 PM, W. Michael Petullo wrote:
> Is it possible to cause a process to transition to a new domain but only
> if it reads a file with a certain label? I am interested in imposing
> this by modifying the SELinux policy only, that is, not requiring any
> action on the part of the process itself. You could think of this as a
> rough analog to HiStar and others' "tainting".
>
SELinux process transition happens on execve() calling. Not sure what
your point is here?
Miroslav is correct there is not way to do what you want with SELinux.
Transitions happen on exec, or a process
can attempt to change its own label, if allowed by policy. Those are
the only ways for a process to get a label.