trouble using runcon

[Stephen Smalley]

On Tue, 2007-05-01 at 10:17 -0400, Stephen Smalley wrote:
> On Mon, 2007-04-30 at 13:12 -0700, Clarkson, Mike R (US SSA) wrote:
> > Whenever I use runcon in my script, I get the error
> > “root:system_r:datalabeler_t:s0-s15:c0.c255 is not a valid context”,
> > regardless of the user, role, type, and mls level that I specify with
> > the runcon command. Infact, even when I specify the context that I’m
> > already running in with the runcon statement, I get the above error.
> > So for instance, if I run the script WITHOUT the runcon command, it
> > runs fine with the following security context (verified with a ps –efZ
> > command): root:system_r:datalabeler_t:s0-s15:c0.c255. But if I run the
> > script with a runcon statement that specifies the exact same user,
> > role, type, and mls level I get the error shown above.
> 
> (please disable html mail in your client when posting to public mail
> lists)
> 
> Are you running in permissive mode?  In permissive mode, SELinux will
> allow policy-defined domain transitions to happen even if the context is
> not fully valid but will still reject those contexts if explicitly
> specified by an application (e.g. by runcon).
> 
> Make sure that you have authorized the context in your policy, e.g.
> - is root authorized for system_r and for s0-s15:c0.c255 via a user
> declaration?
> - is system_r authorized for datalabeler_t via a role declaration?

To summarize the solution for the list (discussion went off-list), the
problem in this case was lack of permission for the datalabeler_t domain
to validate contexts (selinux_validate_context() refpolicy interface),
resulting in runcon always failing to validate the context and reporting
an invalid context.  Likely should file a bug against coreutils for
runcon to add strerror(errno) to the error message when
security_check_context() fails so that we would see it as a Permission
denied.

-- 
Stephen Smalley
National Security Agency