Re: Domain transition not working

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/24/2012 12:16 PM, Moray Henderson wrote:
> *From:*selinux-bounces@xxxxxxxxxxxxxxxxxxxxxxx 
> [mailto:selinux-bounces@xxxxxxxxxxxxxxxxxxxxxxx] *On Behalf Of
> *Nabeel Moidu *Subject:* Domain transition not working
> 
> 
> 
> Hi
> 
> 
> 
> I've got an executable file script.sh labeled xyz_exec_t. I've
> also defined a domain xyz_t  and added daemon_domain(xyz_t,
> xyz_exec_t) in the .te file.
> 
> When compiled and inserted, the file context labels seem to be
> enforced correctly. Normally the executable script.sh is invoked by
> the init scripts. As per the domain transition rule, I expect it
> show up xyz_t as its domain in ps -efZ . But the transition does
> not work as expected. The process runs as an unconfined domain.
> 
> 
> 
> But when I add runcon in the line where the init script invokes
> the executable with the domain as xyz_t, the process runs in the
> proper context.
> 
> 
> 
> Once I remove the runcon and invoke the init script, the domain 
> transition I applied in the custom module does not work out.
> 
> 
> 
> Any suggestions ?
> 
> 
> 
> NB: The system is on permissive mode and this particular domain
> xyz_t has also been defined as a permissive domain.
> 
> 
> 
> Nabeel
> 
> 
> 
> It might help us to see the exact rules that have been defined. 
> Hopefully this will show something up (thanks Dominick!):
> 
> 
> 
> sesearch --allow -t xyz_t | greptransition
> 
> 
> 
> If your executable is normally run by init scripts, it will be
> coming from initrc_t, not unconfined_t, which may make a
> difference.
> 
> 
> 
> 
> 
> Moray.
> 
> “To err is human; to purr, feline.”
> 
> 
> 
> -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx 
> https://admin.fedoraproject.org/mailman/listinfo/selinux


Also make sure the script is on a file system that is not set nosuid.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEUEARECAAYFAk8gNvMACgkQrlYvE4MpobNdQgCg3LwHrco+A4NvgDfKfOwQ2fJ8
M9wAl3phiUBRHilCtuwU/2Nx+0KVWuw=
=fhMI
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux



[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux