runcon cmd preventing default domain transition
Daniel J Walsh
dwalsh at redhat.com
Tue May 15 18:28:04 UTC 2007
Clarkson, Mike R (US SSA) wrote:
> I have my policy set up to do a domain transition from the datalabeler_t
> domain to the import_t domain when the datalabeler_t domain executes the
> SimulatedImport (type import_exec_t) executable. This works fine until I
> execute the SimulatedImport executable using a runcon command: "runcon
> -l s1 SimulatedImport"
>
> The intent is to start the import_t domain at the s1 level, but the
> runcon command prevents the default domain transition from occurring. I
> found I had to use the following to force the domain transition while
> also setting the level of the process: "runcon -t import_t -l s1
> SimulatedImport"
>
> Can anyone tell me why I have to explicitly set the type to get the
> domain transition to occur? The policy is set up to do the domain
> transition by default when the ImportExecutable is executed in the
> datalabeler_t domain, and this works fine when I don't use the runcon
> command, but then the import_t domain is not running at the level that I
> want.
>
> Thanks,
> Mike
>
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
runcon is doing a setexeccon which will override the transition.
So the code does a getprevcon to get the context of the process running
runcon. It then changes the componant of the security context you
selected and does a setexeccon.
So if I am running syadm_u:sysadm_r:systadm_t:s0 and I run
runcon -l s1 SimulatedImport
It will attempt a setexeccon("sysadm_u:sysadm_r:sysadm_t:s1") and then
exec the app.
No transition will happen.
More information about the fedora-selinux-list
mailing list