trouble using runcon
Stephen Smalley
sds at tycho.nsa.gov
Wed May 2 11:49:07 UTC 2007
On Tue, 2007-05-01 at 15:38 -0700, Clarkson, Mike R (US SSA) wrote:
> Stephen,
>
> You were right. Adding selinux_validate_context(datalabeler_t) got me
> past the problem and I started getting some useful acv denial messages
> in the audit log. I can now successfully run my script using runcon as
> follows:
> "runcon -u root -r system_r -t datalabeler_t -l s0-s15:c0.c255
> java mls.SimulatedImport.SimulatedDataLabeler $argv[*]"
>
> However, if I try to specify a different mls level in the runcon
> statement it doesn't work. It looks like it fails to kick off the java
> process, or at least I can't see the java process running using ps.
>
> The command I'm trying to use is this:
> "runcon -u root -r system_r -t datalabeler_t -l s1 java
> mls.SimulatedImport.SimulatedDataLabeler $argv[*]"
>
> I'm not getting meaningful acv messages in the audit log. Audit2allow is
> telling me I need to add allow statements to my policy that I already
> have. I think that I'm probably violating some MLS constraint (I find
> that audit2allow does not give me useful messages when the problem is
> that an MLS constraint is being violated).
>
> Do either of you have any ideas on what constraint I might be violating?
> I already have "mls_process_set_level(datalabeler_t)" in my policy, and
> "semanage user -l" and "semanage login -l" both show that root has the
> mls range of s0-s15:c0.c255.
(re-added fedora-selinux-list to cc line)
audit2allow -a -l should only process avc messages since your last
policy reload.
Is that runcon command running in the datalabeler_t domain already or in
a different domain (the caller domain)? If the former, why are you
specifying -r system_r -t datalabeler_t at all to runcon (vs. just the
components that are changing)? If the latter, then the caller domain
needs mls_process_set_level().
Also, you'd have to deal with other MLS-related issues, e.g. if you want
that java process to be able to write to your tty (at s0), you'd need to
give it mls_fd_use_all_levels() to inherit stdin/stdout/stderr and
mls_file_write_down() to write to the tty. But ideally you'd be using
newrole -l s1 instead and let it relabel the tty for you properly.
You may want to take further follow-ups to redhat-lspp list for
MLS-specific issues.
--
Stephen Smalley
National Security Agency
More information about the fedora-selinux-list
mailing list