Re: using runcon -l s1

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Clarkson, Mike R (US SSA) wrote:
I am trying to figure out how to get “runcon –l s1” to work while having selinux in enforcing mode. So far, I can only use the runcon command successfully with selinux in permissive mode. Here is the error I get when in enforcing mode: 

>runcon -l s1 ./SimulatedImport /home/m252/SimulatedImport/output/junk

execvp: Permission denied
My shell is running as root in the unconfined_t domain. Here is the output of id –Z: 

root:system_r:unconfined_t:s0-s15:c0.c255
The executable that I’m trying to run with runcon is “SimulatedImport”. This is a very simple program which simply creates a small text file. I have created a domain named “import_t” for this program.
I have an selinux policy that I built as an mls policy off the targeted policy. 

When I run audit2allow I get the following:

audit2allow -i /var/log/audit/audit.log -l -v -r

require {

class dir search;

class file { getattr read };

class process transition;

type auditd_log_t;

type unconfined_t;

role system_r;

};

allow unconfined_t auditd_log_t:dir search;
#TYPE=AVC MSG=audit(1177347232.381:45684): COMM="audit2allow" NAME="audit" : search
#TYPE=AVC MSG=audit(1177347344.098:45698): COMM="audit2allow" NAME="audit" : search 

allow unconfined_t auditd_log_t:file { getattr read };
#TYPE=AVC MSG=audit(1177347344.098:45699): COMM="audit2allow" NAME="audit.log" : getattr
#TYPE=AVC MSG=audit(1177347344.098:45698): COMM="audit2allow" NAME="audit.log" : read 

allow unconfined_t self:process transition;
#TYPE=AVC MSG=audit(1177347223.780:45683): COMM="runcon" NAME="SimulatedImport" : transition
Adding “allow unconfined_t self:process transition;” to my “import” module seems to have no effect. 


I think you are being prevented by a constraint of MLS

As a guess I would suggest trying:

mls_process_set_level(unconfined_t)



Any help would be appreciated.

Thanks,

Mike

------------------------------------------------------------------------

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list




--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux