Re: Two diferent Java programs on same machine

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Wed, Jul 14, 2010 at 05:47:24PM +0200, giovanni testing wrote:
> Thank you for reply so fast.
> 
> I'm trying runcon but throws "Permission denied" and no AVC appears (I dont
> know how to fix it).
> 
> This happens when applying the command "runcon -t MyPolicy_t nano" (nano is
> executed to make easier the task of probe the file permissions of the policy
> (try to open files of MyPolicy and verify that they are read only, read and
> write or no accessible)).
> 
> What should I do to fix it?

Maybe your role is not allowed the MyPolicy_t domain. This should cause "SELINUX_ERR" entries in /var/log/audit/audit.log instead of AVC denials.

> 
> Thank you again
> 
> 2010/7/14 Stephen Smalley <sds@xxxxxxxxxxxxx>
> 
> > On Wed, 2010-07-14 at 16:46 +0200, giovanni testing wrote:
> > > Hi everyone,
> > >
> > > I have to run two differents Java programs, with different permissions
> > > (they access to different files and listen to different ports).
> > > There is some way to specify different rules even they share the same
> > > executable (Java)?
> > >
> > > I'm thinking of one possibility, but I think that is not possible:
> > > -If you come from unconfined_t and run MyPolice_exec_t (java), the
> > > transition goes to MyPoliceA_t
> > > -If you come from user_t and run MyPolic_exec_t(java), the transition
> > > goes to MyPoliceB_t
> >
> > That is possible, but you don't want to label java itself with
> > MyPolice_exec_t.  Instead, create a wrapper that invokes java with the
> > right arguments, and label it with MyPolice_exec_t.
> >
> > You can also use runcon -t to launch a program in a particular domain
> > type if the caller is authorized to do so, e.g.
> >        runcon -t MyPolice_t java ...
> >
> > --
> > Stephen Smalley
> > National Security Agency
> >
> >

> --
> selinux mailing list
> selinux@xxxxxxxxxxxxxxxxxxxxxxx
> https://admin.fedoraproject.org/mailman/listinfo/selinux

Attachment: pgpWAaX7AQXzq.pgp
Description: PGP signature

--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux