Domain transition not working
Daniel J Walsh
dwalsh at redhat.com
Wed Jan 25 17:08:03 UTC 2012
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/24/2012 12:16 PM, Moray Henderson wrote:
> *From:*selinux-bounces at lists.fedoraproject.org
> [mailto:selinux-bounces at lists.fedoraproject.org] *On Behalf Of
> *Nabeel Moidu *Subject:* Domain transition not working
>
>
>
> Hi
>
>
>
> I've got an executable file script.sh labeled xyz_exec_t. I've
> also defined a domain xyz_t and added daemon_domain(xyz_t,
> xyz_exec_t) in the .te file.
>
> When compiled and inserted, the file context labels seem to be
> enforced correctly. Normally the executable script.sh is invoked by
> the init scripts. As per the domain transition rule, I expect it
> show up xyz_t as its domain in ps -efZ . But the transition does
> not work as expected. The process runs as an unconfined domain.
>
>
>
> But when I add runcon in the line where the init script invokes
> the executable with the domain as xyz_t, the process runs in the
> proper context.
>
>
>
> Once I remove the runcon and invoke the init script, the domain
> transition I applied in the custom module does not work out.
>
>
>
> Any suggestions ?
>
>
>
> NB: The system is on permissive mode and this particular domain
> xyz_t has also been defined as a permissive domain.
>
>
>
> Nabeel
>
>
>
> It might help us to see the exact rules that have been defined.
> Hopefully this will show something up (thanks Dominick!):
>
>
>
> sesearch --allow -t xyz_t | greptransition
>
>
>
> If your executable is normally run by init scripts, it will be
> coming from initrc_t, not unconfined_t, which may make a
> difference.
>
>
>
>
>
> Moray.
>
> “To err is human; to purr, feline.”
>
>
>
> -- selinux mailing list selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
Also make sure the script is on a file system that is not set nosuid.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEUEARECAAYFAk8gNvMACgkQrlYvE4MpobNdQgCg3LwHrco+A4NvgDfKfOwQ2fJ8
M9wAl3phiUBRHilCtuwU/2Nx+0KVWuw=
=fhMI
-----END PGP SIGNATURE-----
More information about the selinux
mailing list