Running new processes in a new context

Sometimes, it isn't possible to force a particular domain upon invocation of a new task or process. The default transition rules that can be enabled through the SELinux policy are only applicable if the source domain and file context (of the application or task to execute) are unambiguously decisive for the target context.

In applications that can run the same command (or execute commands with the same context) for different target domains, SELinux-awareness is a must.

This recipe will show how to force a particular domain for a new process.

Getting ready

The newcon variable that is used in this recipe can be filled in through methods such as get_default_context() as we have seen in a previous recipe.

How to do ...

Get SELinux Cookbook now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

SELinux Cookbook by Sven Vermeulen

Running new processes in a new context

Getting ready

How to do ...

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly