On 04/22/2009 12:38 PM, Justin Mattock wrote:
looking into using runcon
it seems I'm confronted with an
avc, that just keeps showing up:
allow staff_t user_t:process { siginh rlimitinh transition noatsecure };
(even after adding this to the policy).
What I'm doing is this:
runcon name:user_r:user_t:s0-s0:c0.c255 firefox
the initial role I'm in is staff_r(transitioning to user_r for
firefox to run in)
Does this seem like the right thing to do,
or do I need to use newrole -r *
for something like firefox?
I guess the correct question is what is your security goal.
You are not currently allowed to transition from a staff_u user to a
user_r role. In order to make this happen you would need to use semange
to make sure your SELinux user "name" had both staff_r and user_r, and
then you would need to add a rule to policy that says staff_r can become
user_r. But transitioning to the new role is probably not what you want.
If your goal is to confine firefox. you would be better off using the
mozilla policy to say when a staff_t type executes mozilla_exec_t it
runs as staff_mozilla_t.
name:staff_r:staff_t -> system_u:object_r:mozilla_exec_t ->
name:staff_r:staff_mozilla_t
Confining mozilla/firefox has a whole bunch of other problems...
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
