Domain transition not working

[Moray Henderson]

From: selinux-bounces at lists.fedoraproject.org
[mailto:selinux-bounces at lists.fedoraproject.org] On Behalf Of Nabeel Moidu
Subject: Domain transition not working

 

Hi

 

I've got an executable file script.sh labeled xyz_exec_t. I've also defined
a domain xyz_t  and added daemon_domain(xyz_t, xyz_exec_t) in the .te file.

When compiled and inserted, the file context labels seem to be enforced
correctly. Normally the executable script.sh is invoked by the init scripts.
As per the domain transition rule, I expect it show up xyz_t as its domain
in ps -efZ . But the transition does not work as expected. The process runs
as an unconfined domain. 

 

But when I add runcon in the line where the init script invokes the
executable with the domain as xyz_t, the process runs in the proper context.

 

Once I remove the runcon and invoke the init script, the domain transition I
applied in the custom module does not work out. 

 

Any suggestions ? 

 

NB: The system is on permissive mode and this particular domain xyz_t has
also been defined as a permissive domain. 

 

Nabeel

 

It might help us to see the exact rules that have been defined.  Hopefully
this will show something up (thanks Dominick!):

 

sesearch --allow -t xyz_t | grep transition

 

If your executable is normally run by init scripts, it will be coming from
initrc_t, not unconfined_t, which may make a difference.

 

 

Moray.

"To err is human; to purr, feline."

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/selinux/attachments/20120124/b21c940b/attachment.html>