Problem with upgrading a file sensitivity level with mls policy

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello,

I've been trying to get a simple piece of code to work to upgrade a file's sensitivity level. I wrote a simple policy to have the process run in a new domain and assigned mlsfileupgrade to the domain. I thought I did everything needed to make it work but apparently not. The program does work in permissive mode so this isn't a DAC problem. (The target file is owned by andy, modebits 644 and the process runs as EUID=andy.) The kernel is 2.6.17.2178_FC5 and I'm using the selinux-policy-mls-2.3.7-2.fc5 policy.
Thanks.

Following is the AVC, code, policy, and example output.
------------------------------------------------------------------------------------------------------
type=AVC msg=audit(1160002208.475:477): avc: denied { relabelfrom } for pid=5282 comm="setfsc1" name="foobar" dev=hda3 ino=817610 scontext=andy_u:user_r:andy_t:s0-s15:c0.c255 tcontext=user_u:object_r:user_t:s0 tclass=file
-----------------------------------------------------------------------------------------------------------------------
#include <stdio.h>
#include <selinux/selinux.h>
#include <selinux/context.h>
main()
{
 int retval;
 security_context_t secconstr,con;
 context_t seconstrct;
 char * newlabel;

/* Get file context */
 retval=getfilecon("/app/foobar", &secconstr);
/* Print the context */
 printf("Security context is %s\n", secconstr);
/* Convert the security_context_t to a context_t */
 seconstrct=context_new(secconstr);
/* Assign new Sensitivity label  */
 retval=context_range_set(seconstrct,"s0:c5");
 if (retval < 0) perror ("context_range_set");
 secconstr=context_str(seconstrct);
 printf("NEW Security context is %s\n",secconstr);
 retval=setfilecon("/app/foobar",secconstr);
 if (retval < 0) perror ("setfilecon");
 retval=getfilecon("/app/foobar", &con);
 if (retval < 0) perror ("getfilecon");
 printf("Read NEW security context %s\n", con);
}
-------------------------------------------------------------------------------------------------------------------------
The policy:
policy_module(localmisc, 0.1.12)
require {
       type user_t;
       type user_tty_device_t;
};
type andy_t;
type andy_exec_t;
domain_type(andy_t)
mls_file_upgrade(andy_t)
domain_entry_file(andy_t, andy_exec_t)
domain_use_interactive_fds(andy_t)
allow andy_t user_tty_device_t:chr_file { read write };
domain_auto_trans(user_t, andy_exec_t, andy_t)
libs_use_ld_so(andy_t)
libs_use_shared_libs(andy_t)
role user_r types andy_t;
allow andy_t user_t: file { read getattr relabelfrom relabelto };
allow andy_t user_t:process sigchld;
---------------------------------------------------------------------------------------------------------------------
Output of the program:
[andy@localhost examples]$ ./setfsc1
Security context is user_u:object_r:user_t:s0
NEW Security context is user_u:object_r:user_t:s0:c5
setfilecon: Permission denied
Read NEW security context user_u:object_r:user_t:s0
[andy@localhost examples]$
----------------------------------------------------------------------------------------------------------------------



--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux