trouble using runcon

Stephen Smalley sds at tycho.nsa.gov
Wed May 2 11:49:07 UTC 2007 

On Tue, 2007-05-01 at 15:38 -0700, Clarkson, Mike R (US SSA) wrote:
> Stephen,
> 
> You were right. Adding selinux_validate_context(datalabeler_t) got me
> past the problem and I started getting some useful acv denial messages
> in the audit log. I can now successfully run my script using runcon as
> follows:
> 	"runcon -u root -r system_r -t datalabeler_t -l s0-s15:c0.c255
> java 	mls.SimulatedImport.SimulatedDataLabeler $argv[*]"
> 
> However, if I try to specify a different mls level in the runcon
> statement it doesn't work. It looks like it fails to kick off the java
> process, or at least I can't see the java process running using ps.
> 
> The command I'm trying to use is this:
> 	"runcon -u root -r system_r -t datalabeler_t -l s1 java
> mls.SimulatedImport.SimulatedDataLabeler $argv[*]"
> 
> I'm not getting meaningful acv messages in the audit log. Audit2allow is
> telling me I need to add allow statements to my policy that I already
> have. I think that I'm probably violating some MLS constraint (I find
> that audit2allow does not give me useful messages when the problem is
> that an MLS constraint is being violated).
> 
> Do either of you have any ideas on what constraint I might be violating?
> I already have "mls_process_set_level(datalabeler_t)" in my policy, and
> "semanage user -l" and "semanage login -l" both show that root has the
> mls range of s0-s15:c0.c255.

(re-added fedora-selinux-list to cc line)

audit2allow -a -l should only process avc messages since your last
policy reload.

Is that runcon command running in the datalabeler_t domain already or in
a different domain (the caller domain)?  If the former, why are you
specifying -r system_r -t datalabeler_t at all to runcon (vs. just the
components that are changing)?  If the latter, then the caller domain
needs mls_process_set_level().

Also, you'd have to deal with other MLS-related issues, e.g. if you want
that java process to be able to write to your tty (at s0), you'd need to
give it mls_fd_use_all_levels() to inherit stdin/stdout/stderr and
mls_file_write_down() to write to the tty.  But ideally you'd be using
newrole -l s1 instead and let it relabel the tty for you properly.

You may want to take further follow-ups to redhat-lspp list for
MLS-specific issues.

-- 
Stephen Smalley
National Security Agency

More information about the fedora-selinux-list mailing list