Hi

 

I've got an executable file script.sh labeled xyz_exec_t. I've also defined a domain xyz_t  and added daemon_domain(xyz_t, xyz_exec_t) in the .te file.

When compiled and inserted, the file context labels seem to be enforced correctly. Normally the executable script.sh is invoked by the init scripts.

As per the domain transition rule, I expect it show up xyz_t as its domain in ps -efZ . But the transition does not work as expected. The process runs as an unconfined domain.

 

But when I add runcon in the line where the init script invokes the executable with the domain as xyz_t, the process runs in the proper context.

 

Once I remove the runcon and invoke the init script, the domain transition I applied in the custom module does not work out.

 

Any suggestions ?

 

NB: The system is on permissive mode and this particular domain xyz_t has also been defined as a permissive domain.

 

Nabeel

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux