On Wed, 2008-01-16 at 12:05 -0500, Michael Thomas wrote:
> While testing some changes to the cyphesis selinux module in Rawhide, I
> started getting the following denials:
>
> type=AVC msg=audit(1200547499.303:66): avc: denied { write } for
> pid=2722 comm="cyphesis" name="context" dev=selinuxfs ino=5
> scontext=unconfined_u:system_r:cyphesis_t:s0
> tcontext=system_u:object_r:security_t:s0 tclass=file
> type=AVC msg=audit(1200547499.303:67): avc: denied { check_context }
> for pid=2722 comm="cyphesis"
> scontext=unconfined_u:system_r:cyphesis_t:s0
> tcontext=system_u:object_r:security_t:s0 tclass=security
>
> What would cause these?
That suggests that cyphesis is invoking a libselinux function that is
validating a security context (by writing to /selinux/context).
Would be allowed by selinux_validate_context(cyphesis_t), if using
refpolicy interfaces and building via make
-f /usr/share/selinux/devel/Makefile.
--
Stephen Smalley
National Security Agency
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
