On Mon, Apr 17, 2017 at 05:02:14PM -0500, Ian Pilcher wrote:
> I am having a weird problem writing a policy for a service. The service
> needs to set SELinux file contexts, so I've created a rule to allow
> this:
>
> allow acme_nss_t cert_t : file { read write create getattr setattr
> relabelfrom relabelto open } ;
>
> Despite this, I am still getting this denial:
>
> avc: denied { relabelto } for pid=3561 comm="update-mod-nss"
> name="cert8.db" dev="dm-0" ino=50343845
> scontext=system_u:system_r:acme_nss_t:s0
> tcontext=unconfined_u:object_r:cert_t:s0 tclass=file
>
> Any ideas?
acme_nss_t needs to be associate with "can_change_object_identity" to be able to change the object identity from system_u to unconfined_u
typeattribute acme_nss_t can_change_object_identity;
or the appropriate macro:
domain_obj_id_change_exemption(acme_nss_t)
But there is no need to change the object identity in the first place, system_u will do fine.
>
> --
> ========================================================================
> Ian Pilcher arequipeno@xxxxxxxxx
> -------- "I grew up before Mark Zuckerberg invented friendship" --------
> ========================================================================
> _______________________________________________
> Selinux mailing list
> Selinux@xxxxxxxxxxxxx
> To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
> To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
