Change process domain upon reading a file
Daniel J Walsh
dwalsh at redhat.com
Sat Apr 4 11:33:20 UTC 2015
On 04/03/2015 09:22 AM, Miroslav Grepl wrote:
> On 04/01/2015 05:51 PM, W. Michael Petullo wrote:
>> Is it possible to cause a process to transition to a new domain but only
>> if it reads a file with a certain label? I am interested in imposing
>> this by modifying the SELinux policy only, that is, not requiring any
>> action on the part of the process itself. You could think of this as a
>> rough analog to HiStar and others' "tainting".
>>
> SELinux process transition happens on execve() calling. Not sure what
> your point is here?
>
Miroslav is correct there is not way to do what you want with SELinux.
Transitions happen on exec, or a process
can attempt to change its own label, if allowed by policy. Those are
the only ways for a process to get a label.
More information about the selinux
mailing list