On Thu, Aug 28, 2014 at 08:16:58AM -0500, Bill Gee wrote: > But that means that SELinux contexts are NOT stable ... They are > NOT the same for all instances of a process. It seems to me that > defeats the whole purpose of SELinux. I think you're confusing the account the process is running under with the context in which its run. SELinux doesn't really "know" anything about what daemon is running or what user is running them, it just understands that crond is run with a context, and that the SELinux policy allows that process to start certain executables with the appropriate file context, and possibly transitioning to a target domain. Your root user is unconfined (assuming you haven't done otherwise), so there aren't any restrictions on what it can transition to. The Cron daemon, when run with SELinux with a process context, can only access files and start processes as defined by the SELinux policy, and can transition to certain domains through defined 'entry points', or executables with a defined file context. Process transitions are good for cron, because it limits cron to only starting processes properly tagged to enter into that domain, and once the subprocesses have started, they're now confined to what their domain allows. This means that your cron job that rotates httpd's logs can't also start up a sshd on port 22 (for example), even though it is running as root. -- Jonathan Billings <billings at negate.org>