On Mon, 2007-04-30 at 13:12 -0700, Clarkson, Mike R (US SSA) wrote: > Whenever I use runcon in my script, I get the error > “root:system_r:datalabeler_t:s0-s15:c0.c255 is not a valid context”, > regardless of the user, role, type, and mls level that I specify with > the runcon command. Infact, even when I specify the context that I’m > already running in with the runcon statement, I get the above error. > So for instance, if I run the script WITHOUT the runcon command, it > runs fine with the following security context (verified with a ps –efZ > command): root:system_r:datalabeler_t:s0-s15:c0.c255. But if I run the > script with a runcon statement that specifies the exact same user, > role, type, and mls level I get the error shown above. (please disable html mail in your client when posting to public mail lists) Are you running in permissive mode? In permissive mode, SELinux will allow policy-defined domain transitions to happen even if the context is not fully valid but will still reject those contexts if explicitly specified by an application (e.g. by runcon). Make sure that you have authorized the context in your policy, e.g. - is root authorized for system_r and for s0-s15:c0.c255 via a user declaration? - is system_r authorized for datalabeler_t via a role declaration? > I am using an selinux policy that I built as an mls policy off the > targeted policy. I don't understand - why aren't you using the real MLS policy? And if you want to use MLS, why aren't you following the work on redhat-lspp list and using those packages? -- Stephen Smalley National Security Agency -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
