Defining role transitions

It is possible to have SELinux automatically switch roles when a certain application is executed. The usual checks still apply (such as if the role is a valid one for the user, does the current user domain have execute rights, and many more), but then, there is no longer a need to call runcon or sudo to switch the role.

How to do it…

Role transitions can be configured as follows:

Identify the executable type on which a role transition has to occur:
```
~$ ls -Z puppetca
system_u:object_r:puppetca_exec_t  puppetca
```

In the SELinux policy, create an interface that includes the role transitions:

interface(`puppet_roletrans_puppetca',` gen_require(` role puppetadm_r; type puppetca_t, puppetca_exec_t; ') allow $1 puppetadm_r; role_transition ...

Get SELinux Cookbook now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

SELinux Cookbook by Sven Vermeulen

Defining role transitions

How to do it…

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly