On Tue, 2007-05-01 at 15:38 -0700, Clarkson, Mike R (US SSA) wrote: > Stephen, > > You were right. Adding selinux_validate_context(datalabeler_t) got me > past the problem and I started getting some useful acv denial messages > in the audit log. I can now successfully run my script using runcon as > follows: > "runcon -u root -r system_r -t datalabeler_t -l s0-s15:c0.c255 > java mls.SimulatedImport.SimulatedDataLabeler $argv[*]" > > However, if I try to specify a different mls level in the runcon > statement it doesn't work. It looks like it fails to kick off the java > process, or at least I can't see the java process running using ps. > > The command I'm trying to use is this: > "runcon -u root -r system_r -t datalabeler_t -l s1 java > mls.SimulatedImport.SimulatedDataLabeler $argv[*]" > > I'm not getting meaningful acv messages in the audit log. Audit2allow is > telling me I need to add allow statements to my policy that I already > have. I think that I'm probably violating some MLS constraint (I find > that audit2allow does not give me useful messages when the problem is > that an MLS constraint is being violated). > > Do either of you have any ideas on what constraint I might be violating? > I already have "mls_process_set_level(datalabeler_t)" in my policy, and > "semanage user -l" and "semanage login -l" both show that root has the > mls range of s0-s15:c0.c255. (re-added fedora-selinux-list to cc line) audit2allow -a -l should only process avc messages since your last policy reload. Is that runcon command running in the datalabeler_t domain already or in a different domain (the caller domain)? If the former, why are you specifying -r system_r -t datalabeler_t at all to runcon (vs. just the components that are changing)? If the latter, then the caller domain needs mls_process_set_level(). Also, you'd have to deal with other MLS-related issues, e.g. if you want that java process to be able to write to your tty (at s0), you'd need to give it mls_fd_use_all_levels() to inherit stdin/stdout/stderr and mls_file_write_down() to write to the tty. But ideally you'd be using newrole -l s1 instead and let it relabel the tty for you properly. You may want to take further follow-ups to redhat-lspp list for MLS-specific issues. -- Stephen Smalley National Security Agency -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
