Hello All, new here
I a trying to get my head around SELinux and have digested most of the content of the books out there and online info. I can't seem to get my head around something though - how to set the SELinux context of a process (domain).
I have created a simple script and I want to run the script with a certain context, the only way I can do it so far is via a unit:
# cat myscript.service
[Unit]
Description=myscript
After=syslog.target systemd-user-sessions.service
[Service]
ExecStart=/usr/local/bin/myscript.sh
SELinuxContext=unconfined_u:system_r:home_bin_t:s0
[Install]
WantedBy=multi-user.target
I also added it to the policy:
# semanage fcontext -l
...
/usr/local/bin/myscript.sh all files system_u:object_r:home_bin_t:s0
...
# ps -efZ |grep myscript
unconfined_u:system_r:home_bin_t:s0 root 18575 1 0 20:08 ? 00:00:00 /bin/bash /usr/local/bin/myscript.sh
So this works, but surely there is another way?
I have also tried other contexts and they don't work, I'm guessing this one does as it is one of the customizable_types ???
I am also wondering about the myriad of contexts available, most are related to specific services/applications but is there a nice list somewhere of useful ones for the developer/coder to use - aisde from doing an seinfo -t ???
SELinux Process Context
-
- Posts: 2019
- Joined: 2015/02/17 15:14:33
- Location: Bulgaria
- Contact:
Re: SELinux Process Context
As far as I know the SELinux domain depends of the binary's SELinux Type, but I may be wrong.
Yet, from System Administrators' perspective - I never had such a task.
Could you try to label the script as 'system_u:object_r:home_bit_t' and then start your script and check the SELinux Context of the domain.
Also, You should reconsider using 'unconfined_u' SELinux user.
Yet, from System Administrators' perspective - I never had such a task.
Could you try to label the script as 'system_u:object_r:home_bit_t' and then start your script and check the SELinux Context of the domain.
Also, You should reconsider using 'unconfined_u' SELinux user.