On 10/12/2016 08:16 PM, Mark Montague wrote: > I'm using Fedora 23 with confined users: > > [root@earth ~]# semanage user -l | egrep '^(SELinux|staff_u)' > SELinux User Prefix MCS Level MCS Range SELinux Roles > staff_u user s0 s0-s0:c0.c1023 staff_r system_r > unconfined_r > > I'd like to allow this user to start a process running as themselves > under a targeted policy, nodejswebserver_t, but when I try to run the > executable, I get "Permission denied": > > [markmont@earth ~]$ id -Z > staff_u:staff_r:staff_t:s0 > [markmont@earth ~]$ ls -lZ /sw/sbin/node > -rwxr-xr-x. 1 markmont markmont > system_u:object_r:nodejswebserver_exec_t:s0 29949360 Oct 4 16:39 > /sw/sbin/node > [markmont@earth ~]$ /sw/sbin/node > -bash: /sw/sbin/node: Permission denied > [markmont@earth ~]$ > > The following denials appear in the audit log: > > 2016-10-12 18:05:29 type=AVC msg=audit(1476295529.526:48313): avc: > denied { transition } for pid=1034 comm="bash" path="/sw/sbin/node" > dev="dm-0" ino=294783 scontext=staff_u:staff_r:staff_t:s0 > tcontext=staff_u:system_r:nodejswebserver_t:s0 tclass=process permissive=0 > 2016-10-12 18:05:29 type=PATH msg=audit(1476295529.526:48313): item=0 > name="/sw/sbin/node" inode=294783 dev=fc:00 mode=0100755 ouid=1000 > ogid=1000 rdev=00:00 obj=system_u:object_r:nodejswebserver_exec_t:s0 > nametype=NORMAL > > audit2allow suggests the following: > > allow staff_t nodejswebserver_t:process transition; > > ...but this is already in my local policy: > > domain_system_change_exemption(staff_t); > domtrans_pattern(staff_t, nodejswebserver_exec_t, nodejswebserver_t); > type_transition staff_t nodejswebserver_exec_t:process nodejswebserver_t; > role_transition staff_r nodejswebserver_exec_t system_r; > allow staff_t nodejswebserver_t:process transition; > allow staff_t nodejswebserver_t:process { noatsecure rlimitinh siginh }; > > I feel like I'm overlooking something fundamental regarding > transitioning out of a confined user domain to another domain. Any ideas? > Hi Mark, this is a constraint issue for "transition" permission. The problem is your role are different. You can try to use "audit2allow" which will tell you what is wrong. 1. Re-test it 2. Execute # ausearch -m avc -su staff_t -ts recent |grep transition |audit2allow Could you paste your outpus of audit2allow and we can continue with that? Either you can have it running with staff_r role without role_transition staff_r nodejswebserver_exec_t system_r; rule or you will need to add additional attributes from audit2allow suggestions. Thank you, -- Miroslav Grepl Senior Software Engineer, SELinux Solutions Red Hat, Inc. _______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx