The context of a process
As everything in SELinux works with labels, even processes are assigned a label, also known as the domain. If a label is absent (or invalid), SELinux will show the process as unlabeled_t. We saw that the Apache web server runs in the httpd_t domain, which can be seen with the ps -Z command as follows:
# ps -eZ | grep httpd system_u:system_r:httpd_t:s0 2270 ? 00:00:00 httpd
The Apache processes don't inform SELinux themselves that they need to run in the httpd_t domain. For that, transition rules in SELinux exist.
Transitioning towards a domain
Just as we did with files, if a process forks and creates a new process, this process inherits the context of the parent process. In case of the web server, the main process is in the httpd_t domain, so all the worker processes that are launched inherit the httpd_t domain from it.
In order to differentiate one process from another, domain transitions can be defined. A domain transition (also known as a process transition...
