On Tue, 2007-05-01 at 10:17 -0400, Stephen Smalley wrote: > On Mon, 2007-04-30 at 13:12 -0700, Clarkson, Mike R (US SSA) wrote: > > Whenever I use runcon in my script, I get the error > > “root:system_r:datalabeler_t:s0-s15:c0.c255 is not a valid context”, > > regardless of the user, role, type, and mls level that I specify with > > the runcon command. Infact, even when I specify the context that I’m > > already running in with the runcon statement, I get the above error. > > So for instance, if I run the script WITHOUT the runcon command, it > > runs fine with the following security context (verified with a ps –efZ > > command): root:system_r:datalabeler_t:s0-s15:c0.c255. But if I run the > > script with a runcon statement that specifies the exact same user, > > role, type, and mls level I get the error shown above. > > (please disable html mail in your client when posting to public mail > lists) > > Are you running in permissive mode? In permissive mode, SELinux will > allow policy-defined domain transitions to happen even if the context is > not fully valid but will still reject those contexts if explicitly > specified by an application (e.g. by runcon). > > Make sure that you have authorized the context in your policy, e.g. > - is root authorized for system_r and for s0-s15:c0.c255 via a user > declaration? > - is system_r authorized for datalabeler_t via a role declaration? To summarize the solution for the list (discussion went off-list), the problem in this case was lack of permission for the datalabeler_t domain to validate contexts (selinux_validate_context() refpolicy interface), resulting in runcon always failing to validate the context and reporting an invalid context. Likely should file a bug against coreutils for runcon to add strerror(errno) to the error message when security_check_context() fails so that we would see it as a Permission denied. -- Stephen Smalley National Security Agency -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
