Question: Avoiding Executable Duplication for Per-Process Contexts in SELinux

[abhishek-das-gupta]

Hi all,

I'm working with a tree of supervisord-managed daemon processes, and I want each child process to run in its own SELinux domain so that the appropriate policies can be applied individually.

In my setup, all these daemons are started via a common wrapper script (entry.sh) when supervisord launches them. This script is labeled with the context supervisord_exec_t. And supervisord runs with type supervisord_t

To get each child daemon to run in its intended context, I've been using the following workaround:

I duplicate entry.sh into multiple copies like entry_child_k.sh, each with the same content, but assigned a different label, e.g., child_k_exec_t.

I define a type_transition like:

selinux

type_transition supervisord_t child_k_exec_t:process child_k_t;

Then, I configure supervisord to launch the appropriate script per daemon, ensuring each child runs in its respective domain (e.g., child_k_t). This works, but results in multiple copies of essentially the same script, just to satisfy the executable label requirement.

My Question:
Is there a way to avoid duplicating the executable while still being able to spawn each child process in its own distinct SELinux domain from supervisord? Ideally, I would like to:

Keep using a single entry.sh file.

Somehow change its label at runtime (or apply a context override) just before launching a specific child daemon.

Is this possible within SELinux's constraints, or is duplicating the entrypoint script the only viable option?

Any guidance would be appreciated!

Thanks!