* domain transition issue
@ 2010-03-09 13:53 michel m
2010-03-09 16:27 ` Daniel J Walsh
0 siblings, 1 reply; 2+ messages in thread
From: michel m @ 2010-03-09 13:53 UTC (permalink / raw)
To: selinux
[-- Attachment #1: Type: text/plain, Size: 645 bytes --]
Hello,
I need to run an unconfined process in a confined domain, say httpd_t. To do
so, I changed executable file's context to a confined one, say httpd_exec_t,
but after running it, its process was in unconfined domain again.
As I searched more, I found that there is not a legal transition for an
unconfined process to a confined one in normal form. I created an script
file which contained scripts for running my desired application, changed
script's context to initrc_exec_t. after running this script, I get my
process unconfined again.
may some one guide me how to resolve this issue and run my application is
unconfined domain?
Regards.
[-- Attachment #2: Type: text/html, Size: 678 bytes --]
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: domain transition issue
2010-03-09 13:53 domain transition issue michel m
@ 2010-03-09 16:27 ` Daniel J Walsh
0 siblings, 0 replies; 2+ messages in thread
From: Daniel J Walsh @ 2010-03-09 16:27 UTC (permalink / raw)
To: michel m; +Cc: selinux
On 03/09/2010 08:53 AM, michel m wrote:
> Hello,
> I need to run an unconfined process in a confined domain, say httpd_t.
> To do so, I changed executable file's context to a confined one, say
> httpd_exec_t, but after running it, its process was in unconfined
> domain again.
> As I searched more, I found that there is not a legal transition for
> an unconfined process to a confined one in normal form. I created an
> script file which contained scripts for running my desired
> application, changed script's context to initrc_exec_t. after running
> this script, I get my process unconfined again.
> may some one guide me how to resolve this issue and run my application
> is unconfined domain?
>
> Regards.
If you want to transition from unconfined_t to httpd_t you need to
execute a script labeled initrc_exec_t.
unconfined_t -> initrc_exec_t -> initrc_t -> httpd_exec_t -> httpd_t
So you need the init script labeled initrc_exec_t and the program you
want to run as httpd_t to be labeled httpd_exec_t.
I would add an id -Z to your initrc_exec_t script to make sure the
transition happened.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2010-03-09 16:27 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2010-03-09 13:53 domain transition issue michel m
2010-03-09 16:27 ` Daniel J Walsh
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.