On Thu, 2007-11-29 at 17:49 -0800, Clarkson, Mike R (US SSA) wrote:
> I recently switched from a targeted-mls policy to the RHEL5.1 mls
> policy. I found that "newrole -r sysadm" failed in enforcing mode, even
> though my selinux user was "root".
>
> I had to add "files_search_default(newrole_t)" and
> "files_getattr_default_dirs(newrole_t)" to the selinuxutil.te file to
> allow newrole to getattr and search the /tmp-inst directory (type
> default_t).
>
> This was happening even with the read_default_t boolean set to true.
>
> Here are the avc denial messages that I was getting:
>
> type=AVC msg=audit(1196385320.559:722): avc: denied { getattr } for
> pid=5092 comm="newrole" path="/tmp-inst" dev=sda1 ino=5341337
> scontext=root:staff_r:newrole_t:s0-s4:c0.c255
> tcontext=system_u:object_r:default_t:s0 tclass=dir
>
> type=AVC msg=audit(1196385320.559:723): avc: denied { search } for
> pid=5092 comm="newrole" name="tmp-inst" dev=sda1 ino=5341337
> scontext=root:staff_r:newrole_t:s0-s4:c0.c255
> tcontext=system_u:object_r:default_t:s0 tclass=dir
>
> I'm assuming this should have worked out of the box without having to
> add these rules. Is there some configuration step that I missed?
It just means that you newroled while you were in this directory.
Newrole doesn't utilize read_default_t because we don't want privileged
programs like newrole accessing random default_t objects.
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
