[CentOS] SELinux vs. virsh

Thu Aug 28 14:20:06 UTC 2014
Jonathan Billings <billings at negate.org>

On Thu, Aug 28, 2014 at 08:16:58AM -0500, Bill Gee wrote:
> But that means that SELinux contexts are NOT stable ...  They are
> NOT the same for all instances of a process.  It seems to me that
> defeats the whole purpose of SELinux. 

I think you're confusing the account the process is running under with
the context in which its run.  SELinux doesn't really "know" anything
about what daemon is running or what user is running them, it just
understands that crond is run with a context, and that the SELinux
policy allows that process to start certain executables with the
appropriate file context, and possibly transitioning to a target
domain.  

Your root user is unconfined (assuming you haven't done otherwise), so
there aren't any restrictions on what it can transition to.

The Cron daemon, when run with SELinux with a process context, can
only access files and start processes as defined by the SELinux
policy, and can transition to certain domains through defined 'entry
points', or executables with a defined file context.

Process transitions are good for cron, because it limits cron to only
starting processes properly tagged to enter into that domain, and once
the subprocesses have started, they're now confined to what their domain
allows.  This means that your cron job that rotates httpd's logs can't
also start up a sshd on port 22 (for example), even though it is
running as root. 

-- 
Jonathan Billings <billings at negate.org>