On Fri, 2005-03-11 at 21:35 -0500, Kodungallur Varma wrote:
> I came to know that I cant simply cast a string into a security
> identifier as shown below. insted I found out that I have to use
> security_compute_create().

No, you can directly construct context strings; you just have to ensure that they are valid contexts or the kernel will reject them. The easiest approach is to use getcon() to get the current context, then use the context_new(), context_type_set(), context_str() functions to create a context string with a modified type field, and then call setcon() on the resulting context string. security_compute_create() is appropriate when you want to get a context based on a type_transition rule in the policy (for an exec-based process transition or a file creation), but that is not what you are doing. Sample program below should work for you, assuming appropriate policy and a kernel that supports dynamic context transitions (>= 2.6.11 for the mainline kernel). Policy would need can_setcon() for the domain and allow <olddomain> <newdomain>:process dyntransition; (the domain_auto_trans rules are for exec-based transitions only).

-- 
Stephen Smalley <sds@tycho.nsa.gov>
National Security Agency




--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.



text/x-csrc attachment: setconexample.c__charset_utf-8