|
I am trying to figure out how to get “runcon –l s1”
to work while having selinux in enforcing mode. So far, I can only use the
runcon command successfully with selinux in permissive mode. Here is the error
I get when in enforcing mode: >runcon -l s1 ./SimulatedImport
/home/m252/SimulatedImport/output/junk execvp: Permission denied My shell is running as root in the unconfined_t domain. Here
is the output of id –Z: root:system_r:unconfined_t:s0-s15:c0.c255 The executable that I’m trying to run with runcon is “SimulatedImport”.
This is a very simple program which simply creates a small text file. I have
created a domain named “import_t” for this program. I have an selinux policy that I built as an mls policy off
the targeted policy. When I run audit2allow I get the following: audit2allow -i /var/log/audit/audit.log -l -v -r require {
class dir search;
class file { getattr read };
class process transition;
type auditd_log_t;
type unconfined_t;
role system_r; }; allow unconfined_t auditd_log_t:dir
search;
#TYPE=AVC MSG=audit(1177347232.381:45684):
COMM="audit2allow" NAME="audit" : search
#TYPE=AVC MSG=audit(1177347344.098:45698):
COMM="audit2allow" NAME="audit" : search allow unconfined_t auditd_log_t:file
{ getattr read };
#TYPE=AVC MSG=audit(1177347344.098:45699):
COMM="audit2allow" NAME="audit.log" :
getattr #TYPE=AVC
MSG=audit(1177347344.098:45698): COMM="audit2allow"
NAME="audit.log" : read allow unconfined_t self:process
transition;
#TYPE=AVC MSG=audit(1177347223.780:45683):
COMM="runcon" NAME="SimulatedImport" :
transition Adding “allow unconfined_t self:process transition;”
to my “import” module seems to have no effect. Any help would be appreciated. Thanks, Mike |
-- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
