On Fri, Aug 09, 2013 at 08:51:17AM -0400, Stephen Smalley wrote: > On 08/08/2013 03:58 PM, Dan Pou wrote: > > Thanks for the suggestion about strace, that is pointing to the problem. > > I need to check the policy rules I have been adding to see how I got > > here: > > > > write(3, "user_u:sysadm_r:sysadm_t:s0\0", 28) = -1 EINVAL (Invalid > > argument) > > > > This is the second write. When I test the same code with sshd_t to > > <username> transition, I get one write, with a successful return of > > default_context_with_level. > > > > Thanks, this gives me something to go off of. > > Could be that security_compute_user() (which writes to > /sys/fs/selinux/user) is getting an error or no results and thus the > code is trying to fall back to the failsafe context (as specified in > /etc/selinux/$SELINUXTYPE/contexts/failsafe_context), which isn't legal > for user_u. > The failsafe is to permit root / admin logins under such a situation. > > I'd look to see what the result of writing to /sys/fs/selinux/user was > and what was written to it in the strace output. You can also directly > call security_compute_user via the compute_user tool under > libselinux/utils if you obtain and build the sources yourself. That > utility doesn't appear to get included in the libselinux-utils rpm though. > > I addeded the system_r:my_daemon_t:s0 user_r:user_t:s0 role transition to /etc/selinux/mls/contexts/default_contexts. This got me to actually writing user_u:user_r:user_t:s0 for setexeccon, but I am still failing. It looks like it is failing in the selinux_trans_to_raw_context. I was thinking this was an issue with declaring the transition. What steps do I need to setup a role_transition and/or type_transistion? I tried adding the following to no avail: type_transition my_daemon_t non_security_file_type:process user_t; Do I need more type_transitions, or addition role_transition declarations (aside from /etc/selinux/mls/contexts/default_context)? Other info: The daemon (without SELinux) just sets the euid/egid to match the user requesting the job. So I inserted calls to getseuserbyname get_default_context_with_rolelevel or get_default_context_with_level then setexeccon the returned context before execve'ing. Thanks -Dan -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
