Found my problem. I was concentrating on the domain - type access controls for relabelfrom/ relabelto and I forgot about the basic TE constrain that states
constrain dir_file_class_set { create relabelto relabelfrom }
( u1 == u2 or t1 == can_change_object_identity );
audit2allow doesn't help very much with that.
________________________________
From: fedora-selinux-list-bounces@xxxxxxxxxx on behalf of Suchoski, Andrew
Sent: Wed 10/4/2006 7:36 PM
To: fedora-selinux-list@xxxxxxxxxx
Subject: Problem with upgrading a file sensitivity level with mls policy
Hello,
I've been trying to get a simple piece of code to work to upgrade a
file's sensitivity level. I wrote a simple policy to have the process
run in a new domain and assigned mlsfileupgrade to the domain. I thought
I did everything needed to make it work but apparently not. The program
does work in permissive mode so this isn't a DAC problem. (The target
file is owned by andy, modebits 644 and the process runs as EUID=andy.)
The kernel is 2.6.17.2178_FC5 and I'm using the
selinux-policy-mls-2.3.7-2.fc5 policy.
Thanks.
Following is the AVC, code, policy, and example output.
------------------------------------------------------------------------------------------------------
type=AVC msg=audit(1160002208.475:477): avc: denied { relabelfrom }
for pid=5282 comm="setfsc1" name="foobar" dev=hda3 ino=817610
scontext=andy_u:user_r:andy_t:s0-s15:c0.c255
tcontext=user_u:object_r:user_t:s0 tclass=file
-----------------------------------------------------------------------------------------------------------------------
#include <stdio.h>
#include <selinux/selinux.h>
#include <selinux/context.h>
main()
{
int retval;
security_context_t secconstr,con;
context_t seconstrct;
char * newlabel;
/* Get file context */
retval=getfilecon("/app/foobar", &secconstr);
/* Print the context */
printf("Security context is %s\n", secconstr);
/* Convert the security_context_t to a context_t */
seconstrct=context_new(secconstr);
/* Assign new Sensitivity label */
retval=context_range_set(seconstrct,"s0:c5");
if (retval < 0) perror ("context_range_set");
secconstr=context_str(seconstrct);
printf("NEW Security context is %s\n",secconstr);
retval=setfilecon("/app/foobar",secconstr);
if (retval < 0) perror ("setfilecon");
retval=getfilecon("/app/foobar", &con);
if (retval < 0) perror ("getfilecon");
printf("Read NEW security context %s\n", con);
}
-------------------------------------------------------------------------------------------------------------------------
The policy:
policy_module(localmisc, 0.1.12)
require {
type user_t;
type user_tty_device_t;
};
type andy_t;
type andy_exec_t;
domain_type(andy_t)
mls_file_upgrade(andy_t)
domain_entry_file(andy_t, andy_exec_t)
domain_use_interactive_fds(andy_t)
allow andy_t user_tty_device_t:chr_file { read write };
domain_auto_trans(user_t, andy_exec_t, andy_t)
libs_use_ld_so(andy_t)
libs_use_shared_libs(andy_t)
role user_r types andy_t;
allow andy_t user_t: file { read getattr relabelfrom relabelto };
allow andy_t user_t:process sigchld;
---------------------------------------------------------------------------------------------------------------------
Output of the program:
[andy@localhost examples]$ ./setfsc1
Security context is user_u:object_r:user_t:s0
NEW Security context is user_u:object_r:user_t:s0:c5
setfilecon: Permission denied
Read NEW security context user_u:object_r:user_t:s0
[andy@localhost examples]$
----------------------------------------------------------------------------------------------------------------------
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
