Is it possible to cause a process to transition to a new domain but only if it reads a file with a certain label? I am interested in imposing this by modifying the SELinux policy only, that is, not requiring any action on the part of the process itself. You could think of this as a rough analog to HiStar and others' "tainting".
On 04/01/2015 05:51 PM, W. Michael Petullo wrote:
Is it possible to cause a process to transition to a new domain but only if it reads a file with a certain label? I am interested in imposing this by modifying the SELinux policy only, that is, not requiring any action on the part of the process itself. You could think of this as a rough analog to HiStar and others' "tainting".
SELinux process transition happens on execve() calling. Not sure what your point is here?
On 04/03/2015 09:22 AM, Miroslav Grepl wrote:
On 04/01/2015 05:51 PM, W. Michael Petullo wrote:
Is it possible to cause a process to transition to a new domain but only if it reads a file with a certain label? I am interested in imposing this by modifying the SELinux policy only, that is, not requiring any action on the part of the process itself. You could think of this as a rough analog to HiStar and others' "tainting".
SELinux process transition happens on execve() calling. Not sure what your point is here?
Miroslav is correct there is not way to do what you want with SELinux. Transitions happen on exec, or a process can attempt to change its own label, if allowed by policy. Those are the only ways for a process to get a label.
HI Mike,
As guys said above, it's not possible. But why you need this? If you describe your issue, we could find some solution :)
On 04/01/2015 05:51 PM, W. Michael Petullo wrote:
Is it possible to cause a process to transition to a new domain but only if it reads a file with a certain label? I am interested in imposing this by modifying the SELinux policy only, that is, not requiring any action on the part of the process itself. You could think of this as a rough analog to HiStar and others' "tainting".
selinux@lists.fedoraproject.org