[redhat-lspp] SELinux/MLS question
Stephen Smalley
sds at tycho.nsa.gov
Thu Nov 17 20:28:36 UTC 2005
On Thu, 2005-11-17 at 14:14 -0600, Kris Wilson wrote:
> We're running kernel 2.6.14-1.1639.2.2_FC5smp and get "Permission denied"
> executing a test script.
>
> We're running with security context root::sysadm_t:s0-s15:c0.c255 and the
> file
> has root:object_r:etc_runtime_t:s0, which seems to have happened by
> default; I didn't specifically label it.
>
> What should the security context be for such as script? audit2allow shows
> we
> need to add "allow sysadm_t etc_runtime_t:file { execute
> execute_no_trans };"
> which we tried to add to our policy.conf, but load_policy is segfaulting.
>
> Any ideas? Thanks!
etc_runtime_t is the type for a runtime created file under /etc,
e.g. /etc/mtab. Where is this script located and how was it created?
I don't think you want to allow this; you want to label your script
appropriately, either using an existing executable type like bin_t or
introducing your own type as part of your test policy (which is what we
did for the selinux testsuite).
Naturally, load_policy shouldn't be segfaulting, so you should bugzilla
that with details about the version of policycoreutils, libselinux,
libsepol, selinux-policy-mls, etc.
--
Stephen Smalley
National Security Agency
More information about the redhat-lspp
mailing list