Running new processes in a new context
Sometimes, it isn't possible to force a particular domain upon invocation of a new task or process. The default transition rules that can be enabled through the SELinux policy are only applicable if the source domain and file context (of the application or task to execute) are unambiguously decisive for the target context.
In applications that can run the same command (or execute commands with the same context) for different target domains, SELinux-awareness is a must.
This recipe will show how to force a particular domain for a new process.
Getting ready
The newcon
variable that is used in this recipe can be filled in through methods such as get_default_context()
as we have seen in a previous recipe.
How to do it…
To launch a process in a specific context, go through the following steps:
- Tell SELinux what the new context should be:
int rc = setexeccon(newcon); if (rc) { … // Call failed freecon(newcon); };
- Fork and execute the command...