Hi!
On my CentOS6 test box I'm facing a strange problem.
I'd like to have an uid!=0 user which is mapped to the selinux
sysadm_u user.
To achieve this I did "semanage login -a -s sysadm_u setest".
But "runcon -t sysadm_t -u sysadm_u -r sysadm_r /bin/bash" failed.
The transition got blocked for the following reason:
type=AVC msg=audit(1357223866.943:29): avc: denied { transition }
for pid=1105 comm="runcon" path="/bin/bash" dev=dm-0 ino=130087
scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tcontext=sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tclass=process
Using audit2allow I've created an allow rule to allow the transition.
---cut---
[root@selinuxbox ~]# cat sysadm.te
module sysadm 1.0;
require {
type unconfined_t;
type sysadm_t;
class process transition;
}
#============= unconfined_t ==============
allow unconfined_t sysadm_t:process transition;
---cut---
I've loaded the new rule using "semodule -i sysadm.pp".
---cut---
[root@selinuxbox ~]# sesearch --all | grep "allow unconfined_t sysadm_t"
allow unconfined_t sysadm_t : process { transition sigchld } ;
---cut---
As you can observe a transition from unconfined_t to sysadm_t is now allowed.
But runcon still fails and audit logs the same deny message.
Also audit2allow created exactly the same allow rule again.
What is preventing runcon to work?
--
Thanks,
//richard
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
