Problem with upgrading a file sensitivity level with mls policy

Andy Suchoski andrew.suchoski at hp.com
Wed Oct 4 23:36:55 UTC 2006 

Hello,

I've been trying to get a simple piece of code to work to upgrade a 
file's sensitivity level. I wrote a simple policy to have the process 
run in a new domain and assigned mlsfileupgrade to the domain. I thought 
I did everything needed to make it work but apparently not. The program 
does work in permissive mode so this isn't a DAC problem. (The target 
file is owned by andy, modebits 644 and the process runs as EUID=andy.) 
The kernel is 2.6.17.2178_FC5 and I'm using the 
selinux-policy-mls-2.3.7-2.fc5 policy.
Thanks.

Following is the AVC, code, policy, and example output.
------------------------------------------------------------------------------------------------------
type=AVC msg=audit(1160002208.475:477): avc:  denied  { relabelfrom } 
for  pid=5282 comm="setfsc1" name="foobar" dev=hda3 ino=817610 
scontext=andy_u:user_r:andy_t:s0-s15:c0.c255 
tcontext=user_u:object_r:user_t:s0 tclass=file
-----------------------------------------------------------------------------------------------------------------------
#include <stdio.h>
#include <selinux/selinux.h>
#include <selinux/context.h>
main()
{
  int retval;
  security_context_t secconstr,con;
  context_t seconstrct;
  char * newlabel;

/* Get file context */
  retval=getfilecon("/app/foobar", &secconstr);
/* Print the context */
  printf("Security context is %s\n", secconstr);
/* Convert the security_context_t to a context_t */
  seconstrct=context_new(secconstr);
/* Assign new Sensitivity label  */
  retval=context_range_set(seconstrct,"s0:c5");
  if (retval < 0) perror ("context_range_set");
  secconstr=context_str(seconstrct);
  printf("NEW Security context is %s\n",secconstr);
  retval=setfilecon("/app/foobar",secconstr);
  if (retval < 0) perror ("setfilecon");
  retval=getfilecon("/app/foobar", &con);
  if (retval < 0) perror ("getfilecon");
  printf("Read NEW security context %s\n", con);
}
-------------------------------------------------------------------------------------------------------------------------
The policy:
policy_module(localmisc, 0.1.12)
require {
        type user_t;
        type user_tty_device_t;
};
type andy_t;
type andy_exec_t;
domain_type(andy_t)
mls_file_upgrade(andy_t)
domain_entry_file(andy_t, andy_exec_t)
domain_use_interactive_fds(andy_t)
allow andy_t user_tty_device_t:chr_file { read write };
domain_auto_trans(user_t, andy_exec_t, andy_t)
libs_use_ld_so(andy_t)
libs_use_shared_libs(andy_t)
role user_r types andy_t;
allow andy_t user_t: file { read getattr relabelfrom relabelto };
allow andy_t user_t:process sigchld;
---------------------------------------------------------------------------------------------------------------------
Output of the program:
[andy at localhost examples]$ ./setfsc1
Security context is user_u:object_r:user_t:s0
NEW Security context is user_u:object_r:user_t:s0:c5
setfilecon: Permission denied
Read NEW security context user_u:object_r:user_t:s0
[andy at localhost examples]$
----------------------------------------------------------------------------------------------------------------------

More information about the fedora-selinux-list mailing list