On 04/08/2009 09:11 PM, Brian Ginn wrote:
I am attempting to use the fsetfilecon() call within a C program. Several other libselinux calls are working OK, but this call fails in enforcing mode (it works in permissive mode).
The audit.log and audit2allow are suggesting policy code that I already have in the policy.
I suspect that I'm being bitten by a "don't audit" rule somewhere.
Is there a reference policy macro that I can include to get fsetfilecon() to work?
Note: I already included
selinux_get_enforce_mode( t_selinux_api_t );
To get the security_getenforce() function to work.
Thanks,
Brian
------------------------------------------------------------------------
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
You are most likely hitting a constraint.
If you run your avc messages through audit2why, you will probably see it
is a constraint.
If you are changing the user componant of a file you need to
domain_obj_id_change_exemption()
########################################
## <summary>
## Makes caller an exception to the constraint preventing
## changing the user identity in object contexts.
## </summary>
## <param name="domain">
## <summary>
## The process type to make an exception to the constraint.
## </summary>
## </param>
## <rolecap/>
#
interface(`domain_obj_id_change_exemption',`
gen_require(`
attribute can_change_object_identity;
')
typeattribute $1 can_change_object_identity;
')
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
