Transitioning out of a confined user domain

Mark Montague <mark@xxxxxxxxxxx> · Wed, 12 Oct 2016 14:16:49 -0400

I'm using Fedora 23 with confined users:

[root@earth ~]# semanage user -l | egrep '^(SELinux|staff_u)'
SELinux User    Prefix     MCS Level  MCS Range SELinux Roles
staff_u         user       s0         s0-s0:c0.c1023 staff_r system_r 
unconfined_r

I'd like to allow this user to start a process running as themselves 
under a targeted policy, nodejswebserver_t, but when I try to run the 
executable, I get "Permission denied":

[markmont@earth ~]$ id -Z
staff_u:staff_r:staff_t:s0
[markmont@earth ~]$ ls -lZ /sw/sbin/node
-rwxr-xr-x. 1 markmont markmont 
system_u:object_r:nodejswebserver_exec_t:s0 29949360 Oct  4 16:39 
/sw/sbin/node
[markmont@earth ~]$ /sw/sbin/node
-bash: /sw/sbin/node: Permission denied
[markmont@earth ~]$

The following denials appear in the audit log:

2016-10-12 18:05:29 type=AVC msg=audit(1476295529.526:48313): avc: 
denied  { transition } for  pid=1034 comm="bash" path="/sw/sbin/node" 
dev="dm-0" ino=294783 scontext=staff_u:staff_r:staff_t:s0 
tcontext=staff_u:system_r:nodejswebserver_t:s0 tclass=process permissive=0
2016-10-12 18:05:29 type=PATH msg=audit(1476295529.526:48313): item=0 
name="/sw/sbin/node" inode=294783 dev=fc:00 mode=0100755 ouid=1000 
ogid=1000 rdev=00:00 obj=system_u:object_r:nodejswebserver_exec_t:s0 
nametype=NORMAL

audit2allow suggests the following:

allow staff_t nodejswebserver_t:process transition;

...but this is already in my local policy:

domain_system_change_exemption(staff_t);
domtrans_pattern(staff_t, nodejswebserver_exec_t, nodejswebserver_t);
type_transition staff_t nodejswebserver_exec_t:process nodejswebserver_t;
role_transition staff_r nodejswebserver_exec_t system_r;
allow staff_t nodejswebserver_t:process transition;
allow staff_t nodejswebserver_t:process { noatsecure rlimitinh siginh };

I feel like I'm overlooking something fundamental regarding 
transitioning out of a confined user domain to another domain.  Any ideas?

--
  Mark Montague
  mark@xxxxxxxxxxx
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx