On 1/13/20 11:27 PM, zer0 0ne wrote: Hi Zer0, For this purpose there are Domain Transition rules defined in SELinux policy. Let's follow up with your example. You have several SELinux domains for daemons D1,D2, and corresponding config files C1,C2. Than you can label also utility for manipulate these config files, let's say U1. You define that Daemons can only read own config files. allow D1 C1:file read; allow D2 C2:file read; and now the tricky part. You need to allow utility U1 to write to both config files. allow U1 C1:file {read append write}; allow U1 C2:file {read append write}; But how to switch from D1 or D2 to U1? Well, now Domain Transition will play its part. You can label binary file of utility as U1_exec_t and say: If Daemons labeled as D1(D2) will execute binary file labeled as U1_exec_t, then the newly created process will be labeled as U1. SELinux syntax: type_transition D1 U1_exec_t: process U1; This how you achieve that daemons cannot write to config files only utility. More info: https://selinuxproject.org/page/NB_Domain_and_Object_Transitions Thanks, Lukas. -- Lukas Vrabec SELinux Evangelist, Senior Software Engineer, Security Technologies Red Hat, Inc.