Hi, I'm trying to create a new policy for a constrained process (started by an unconstrainted user) and am stuck trying to get the process started in the right context. Here are the steps I followed: 0. confirm SELinux status [proxyuser@lime ~]$ sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: permissive Mode from config file: permissive Policy version: 24 Policy from config file: targeted [proxyuser@lime ~]$ cat /etc/redhat-release Fedora release 14 (Laughlin) [proxyuser@lime cz]$ id -Z unconfined_u:unconfined_r:unconfined_t:s0 1. create policy via sepolgen -t 3 /home/proxyuser/trunk/aps-base/crumple-zone/target/CZtp Note that CZtp is a shell script which in turn calls the JVM. [proxyuser@lime cz]$ sudo ./CZtp.sh Building and Loading Policy + make -f /usr/share/selinux/devel/Makefile make: Nothing to be done for `all'. + /usr/sbin/semodule -i CZtp.pp + /sbin/restorecon -F -R -v /home/proxyuser/trunk/aps-base/crumple-zone/target/CZtp /sbin/restorecon reset /home/proxyuser/trunk/aps-base/crumple-zone/target/CZtp context system_u:system_r:CZtp_exec_t:s0->system_u:object_r:CZtp_exec_t:s0 2. Verify that the the CZtp file is labeled properly: [proxyuser@lime cz]$ ls -lZ /home/proxyuser/trunk/aps-base/crumple-zone/target/CZtp -rwxr-xr-x. proxyuser proxyuser system_u:object_r:CZtp_exec_t:s0 /home/proxyuser/trunk/aps-base/crumple-zone/target/CZtp 3. start process [proxyuser@lime cz]$ cd /home/proxyuser/trunk/aps-base/crumple-zone/target/ [proxyuser@lime target]$ ./CZtp 4. Verify process context [proxyuser@lime ~]$ ps -efZ | grep -v grep | grep CZtp unconfined_u:unconfined_r:unconfined_t:s0 501 5789 5734 0 14:22 pts/0 00:00:00 /bin/sh ./CZtp Note that the process shows up as unconfined_t, although it was labeled with CZtp_exec_t. What am I missing? 4. check process context -- Michael Atighetchi Senior Scientist Raytheon BBN Technologies 617-873-1679 matighet@xxxxxxx -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
