You are probably missing a domain type transition. running the following command you can see if unconfined_t has a domain type transition defined when it runs executable files with type CZtp_exec_t: sesearch -SCT --allow -s unconfined_t -t CZtp_exec_t if none is specified then you must specify that your calling domain unconfined_t, domain type transitions to CZtp_t when a file with type CZtp_exec_t is executed. You will also need to allow the unconfined_r role the CZtp_t domain. After that you may want to allow unconfined_t to interact with CZtp_t in other ways as well but at least by then the type transition should happen. The policy: gen_require(` type unconfined_t, CZtp_exec_t, CZtp_t; role unconfined_r; ') domtrans_pattern(unconfined_t, CZtp_exec_t, CZtp_t) role unconfined_r types CZtp_t; On Sat, 2011-07-23 at 20:32 +0200, Michael Atighetchi wrote: > Hi, > > I'm trying to create a new policy for a constrained process (started by > an unconstrainted user) and am stuck trying to get the process started > in the right context. > > Here are the steps I followed: > > 0. confirm SELinux status > [proxyuser@lime ~]$ sestatus > SELinux status: enabled > SELinuxfs mount: /selinux > Current mode: permissive > Mode from config file: permissive > Policy version: 24 > Policy from config file: targeted > > [proxyuser@lime ~]$ cat /etc/redhat-release > Fedora release 14 (Laughlin) > > [proxyuser@lime cz]$ id -Z > unconfined_u:unconfined_r:unconfined_t:s0 > > 1. create policy via > > sepolgen -t 3 /home/proxyuser/trunk/aps-base/crumple-zone/target/CZtp > > Note that CZtp is a shell script which in turn calls the JVM. > > [proxyuser@lime cz]$ sudo ./CZtp.sh > Building and Loading Policy > + make -f /usr/share/selinux/devel/Makefile > make: Nothing to be done for `all'. > + /usr/sbin/semodule -i CZtp.pp > + /sbin/restorecon -F -R -v > /home/proxyuser/trunk/aps-base/crumple-zone/target/CZtp > /sbin/restorecon reset > /home/proxyuser/trunk/aps-base/crumple-zone/target/CZtp context > system_u:system_r:CZtp_exec_t:s0->system_u:object_r:CZtp_exec_t:s0 > > 2. Verify that the the CZtp file is labeled properly: > [proxyuser@lime cz]$ ls -lZ > /home/proxyuser/trunk/aps-base/crumple-zone/target/CZtp > -rwxr-xr-x. proxyuser proxyuser system_u:object_r:CZtp_exec_t:s0 > /home/proxyuser/trunk/aps-base/crumple-zone/target/CZtp > > 3. start process > [proxyuser@lime cz]$ cd /home/proxyuser/trunk/aps-base/crumple-zone/target/ > [proxyuser@lime target]$ ./CZtp > > 4. Verify process context > [proxyuser@lime ~]$ ps -efZ | grep -v grep | grep CZtp > unconfined_u:unconfined_r:unconfined_t:s0 501 5789 5734 0 14:22 pts/0 > 00:00:00 /bin/sh ./CZtp > > > Note that the process shows up as unconfined_t, although it was labeled > with CZtp_exec_t. > > What am I missing? > > > > 4. check process context >
Attachment:
signature.asc
Description: This is a digitally signed message part
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
