I recently switched from a targeted-mls policy to the RHEL5.1 mls
policy. I found that "newrole -r sysadm" failed in enforcing mode, even
though my selinux user was "root".
I had to add "files_search_default(newrole_t)" and
"files_getattr_default_dirs(newrole_t)" to the selinuxutil.te file to
allow newrole to getattr and search the /tmp-inst directory (type
default_t).
This was happening even with the read_default_t boolean set to true.
Here are the avc denial messages that I was getting:
type=AVC msg=audit(1196385320.559:722): avc: denied { getattr } for
pid=5092 comm="newrole" path="/tmp-inst" dev=sda1 ino=5341337
scontext=root:staff_r:newrole_t:s0-s4:c0.c255
tcontext=system_u:object_r:default_t:s0 tclass=dir
type=AVC msg=audit(1196385320.559:723): avc: denied { search } for
pid=5092 comm="newrole" name="tmp-inst" dev=sda1 ino=5341337
scontext=root:staff_r:newrole_t:s0-s4:c0.c255
tcontext=system_u:object_r:default_t:s0 tclass=dir
I'm assuming this should have worked out of the box without having to
add these rules. Is there some configuration step that I missed?
Thanks
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
