Hi*I've got an executable file script.sh*labeled xyz_exec_t. I've also defined a*domain xyz_t* and*added daemon_domain(xyz_t, xyz_exec_t) in the .te file. When compiled and inserted, the file context*labels seem to be enforced correctly. Normally the executable script.sh is invoked by the init scripts. As per the domain transition rule, I expect it show up xyz_t as its domain in ps -efZ . But the transition does not work as expected. The process runs as an unconfined domain.
*But when I add runcon in the line where the init script invokes the executable with the domain as xyz_t, the process runs in the proper context.*Once I remove the runcon and invoke the init script, the domain transition I applied in the custom module does not work out.
*Any suggestions ? *NB: The system is on permissive mode and this particular domain xyz_t has also been defined as a permissive domain. *Nabeel
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
01-24-2012, 04:16 PM
Moray Henderson
Domain transition not working
From: selinux-bounces@lists.fedoraproject.org
[mailto:selinux-bounces@lists.fedoraproject.org] On Behalf Of Nabeel
Moidu
Subject: Domain transition not working
Â*
Hi
Â*
I've got an executable file script.shÂ*labeled
xyz_exec_t. I've also defined aÂ*domain xyz_tÂ* andÂ*added
daemon_domain(xyz_t, xyz_exec_t) in the .te file.
When compiled and inserted, the file contextÂ*labels
seem to be enforced correctly. Normally the executable script.sh is invoked by
the init scripts. As per the domain transition rule, I expect it show up xyz_t
as its domain in ps -efZ . But the transition does not work as expected. The
process runs as an unconfined domain.
Â*
But when I add runcon in the line where the init script
invokes the executable with the domain as xyz_t, the process runs in the proper
context.
Â*
Once I remove the runcon and invoke the init script, the
domain transition I applied in the custom module does not work out.
Â*
Any suggestions ?
Â*
NB: The system is on permissive mode and this particular
domain xyz_t has also been defined as a permissive domain.
Â*
Nabeel
Â*
It might help us to see the exact
rules that have been defined.Â* Hopefully this will show something up
(thanks Dominick!):
Â*
sesearch
--allow -t xyz_t | grep transition
Â*
If your executable is normally
run by init scripts, it will be coming from initrc_t, not unconfined_t, which
may make a difference.
Â*
Â*
Moray.
“To err is human; to purr,
feline.â€
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
01-25-2012, 10:08 AM
Miroslav Grepl
Domain transition not working
On 01/24/2012 04:29 PM, Nabeel Moidu wrote:
Hi
*
I've got an executable file script.sh*labeled xyz_exec_t.
I've also defined a*domain xyz_t* and*added daemon_domain(xyz_t,
xyz_exec_t) in the .te file.
Could you paste your definition of types?
When compiled and inserted, the file context*labels seem to
be enforced correctly. Normally the executable script.sh is
invoked by the init scripts.
How does your init script look ?
As per the domain transition rule, I expect it show up
xyz_t as its domain in ps -efZ . But the transition does not
work as expected. The process runs as an unconfined domain.
*
But when I add runcon in the line where the init script
invokes the executable with the domain as xyz_t, the process
runs in the proper context.
*
Once I remove the runcon and invoke the init script, the
domain transition I applied in the custom module does not work
out.
*
Any suggestions ?
*
NB: The system is on permissive mode and this particular
domain xyz_t has also been defined as a permissive domain.
*
Nabeel
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
01-25-2012, 04:08 PM
Daniel J Walsh
Domain transition not working
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/24/2012 12:16 PM, Moray Henderson wrote:
> *From:*selinux-bounces@lists.fedoraproject.org
> [mailto:selinux-bounces@lists.fedoraproject.org] *On Behalf Of
> *Nabeel Moidu *Subject:* Domain transition not working
>
>
>
> Hi
>
>
>
> I've got an executable file script.sh labeled xyz_exec_t. I've
> also defined a domain xyz_t and added daemon_domain(xyz_t,
> xyz_exec_t) in the .te file.
>
> When compiled and inserted, the file context labels seem to be
> enforced correctly. Normally the executable script.sh is invoked by
> the init scripts. As per the domain transition rule, I expect it
> show up xyz_t as its domain in ps -efZ . But the transition does
> not work as expected. The process runs as an unconfined domain.
>
>
>
> But when I add runcon in the line where the init script invokes
> the executable with the domain as xyz_t, the process runs in the
> proper context.
>
>
>
> Once I remove the runcon and invoke the init script, the domain
> transition I applied in the custom module does not work out.
>
>
>
> Any suggestions ?
>
>
>
> NB: The system is on permissive mode and this particular domain
> xyz_t has also been defined as a permissive domain.
>
>
>
> Nabeel
>
>
>
> It might help us to see the exact rules that have been defined.
> Hopefully this will show something up (thanks Dominick!):
>
>
>
> sesearch --allow -t xyz_t | greptransition
>
>
>
> If your executable is normally run by init scripts, it will be
> coming from initrc_t, not unconfined_t, which may make a
> difference.
>
>
>
>
>
> Moray.
>
> “To err is human; to purr, feline.â€
>
>
>
> -- selinux mailing list selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
Also make sure the script is on a file system that is not set nosuid.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
Moray, Dan, Miroslav
Thanks for your inputs. It's working now.
I did an sesearch and grep'd for the type_transition lines. Then checked the init scripts lables once more.Â*
What happened was startup script files in the init.d were symlinks and the file types on those were defaulting to etc_t. I removed them and copied the init scripts . Repeated restorecon and this time they were labeled correctly and the transition also worked fine.
Nabeel
On Wed, Jan 25, 2012 at 10:38 PM, Daniel J Walsh <dwalsh@redhat.com> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/24/2012 12:16 PM, Moray Henderson wrote:
> *From:*selinux-bounces@lists.fedoraproject.org
> [mailto:selinux-bounces@lists.fedoraproject.org] *On Behalf Of
> *Nabeel Moidu *Subject:* Domain transition not working
>
>
>
> Hi
>
>
>
> I've got an executable file script.sh labeled xyz_exec_t. I've
> also defined a domain xyz_t Â*and added daemon_domain(xyz_t,
> xyz_exec_t) in the .te file.
>
> When compiled and inserted, the file context labels seem to be
> enforced correctly. Normally the executable script.sh is invoked by
> the init scripts. As per the domain transition rule, I expect it
> show up xyz_t as its domain in ps -efZ . But the transition does
> not work as expected. The process runs as an unconfined domain.
>
>
>
> But when I add runcon in the line where the init script invokes
> the executable with the domain as xyz_t, the process runs in the
> proper context.
>
>
>
> Once I remove the runcon and invoke the init script, the domain
> transition I applied in the custom module does not work out.
>
>
>
> Any suggestions ?
>
>
>
> NB: The system is on permissive mode and this particular domain
> xyz_t has also been defined as a permissive domain.
>
>
>
> Nabeel
>
>
>
> It might help us to see the exact rules that have been defined.
> Hopefully this will show something up (thanks Dominick!):
>
>
>
> sesearch --allow -t xyz_t | greptransition
>
>
>
> If your executable is normally run by init scripts, it will be
> coming from initrc_t, not unconfined_t, which may make a
> difference.
>
>
>
>
>
> Moray.
>
> “To err is human; to purr, feline.â€
>
>
>
> -- selinux mailing list selinux@lists.fedoraproject.org
Domain transition not working
