SELinux policy for fsetfilecon() in libselinux
Daniel J Walsh
dwalsh at redhat.com
Thu Apr 9 02:08:39 UTC 2009
On 04/08/2009 09:11 PM, Brian Ginn wrote:
> I am attempting to use the fsetfilecon() call within a C program. Several other libselinux calls are working OK, but this call fails in enforcing mode (it works in permissive mode).
>
>
>
> The audit.log and audit2allow are suggesting policy code that I already have in the policy.
>
> I suspect that I'm being bitten by a "don't audit" rule somewhere.
>
>
>
> Is there a reference policy macro that I can include to get fsetfilecon() to work?
>
>
>
> Note: I already included
>
> selinux_get_enforce_mode( t_selinux_api_t );
>
> To get the security_getenforce() function to work.
>
>
>
>
>
> Thanks,
>
> Brian
>
>
>
>
>
> ------------------------------------------------------------------------
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
You are most likely hitting a constraint.
If you run your avc messages through audit2why, you will probably see it
is a constraint.
If you are changing the user componant of a file you need to
domain_obj_id_change_exemption()
########################################
## <summary>
## Makes caller an exception to the constraint preventing
## changing the user identity in object contexts.
## </summary>
## <param name="domain">
## <summary>
## The process type to make an exception to the constraint.
## </summary>
## </param>
## <rolecap/>
#
interface(`domain_obj_id_change_exemption',`
gen_require(`
attribute can_change_object_identity;
')
typeattribute $1 can_change_object_identity;
')
More information about the fedora-selinux-list
mailing list