How to configure nginx for Magento 2
Now, let’s find out how a process accesses other processes.
Let’s consider that the vsftpd
process is running; if it’s not started, we can start it using the following command:
systemctl start vsftpd
The vsftpd
process is started by the systemd
process; this is a replacement of the Sys V init
process and runs within a context of init_t
:
ps -eZ | grep init

The systemd
process running under the init_t
domain is very short lived; it invokes /usr/sbin/vsftpd
, which has a type context ftpd_exec_t
, and when this binary executable starts, it becomes the vsftpd
service itself and runs in the ftpd_t
domain.

So, here’s the systemd
process running under the init_t
domain executing a binary file with the ftpd_exec_t
type. The binary file then starts a service within the ftpd_t
domain.
Domain transition is followed by three strict rules:
- The parent process of the source domain must have the permission to execute the application between both the domains
- The file context for that application must be identified as an entry point for the target domain
- The original domain must be allowed to transit to the target domain
Let’s run the sesearch
command for the vsftpd
service to check whether it follows these rules:
- First, the source domain
init_t
must have permission to execute the application in theftpd_exec_t
context. So we run:sesearch -s init_t -t ftpd_exec_t -c file -p execute -Ad
We found the following output:
allow init_t ftpd_exec_t : file { read getattr execute open } ;
So, the
init_t
can read, get attribute, execute, and open files of theftpd_exec_t
context. - Next, we check whether the binary file is the entry point for the target domain
ftpd_t
:sesearch -s ftpd_t -t ftpd_exec_t -c file -p entrypoint -Ad
We found that it is:
allow ftpd_t ftpd_exec_t : file { ioctl read getattr lock execute execute_no_trans entrypoint open } ;
- Finally, the source domain
init_t
needs to have permission to transit to the targetftpd_t
domain:sesearch -s init_t -t ftpd_t -c process -p transition –Ad
We can see that the source domain has that permission as well:
allow init_t ftpd_t : process transition ;
SELinux also supports processes that run under unconfined domains; for example, unconfined_t
. This is the domain where logged in users run their processes by default.