On Thu, 2012-10-18 at 21:51 +0000, Anamitra Dutta Majumdar (anmajumd)
wrote:
Hi Dominick,
Here it is
type=AVC msg=audit(1350454530.626:73898): avc: denied { transition } for
pid=11860 comm="sudo"
path="/home/tomcat/tomcat_security_startup.sh"
dev=sda2 ino=2523182 scontext=system_u:system_r:servm_t:s0
tcontext=system_u:system_r:tomcatd_t:s0-s0:c0.c1023 tclass=process
Looks like a mcs constrained violation.
I believe you have two options.
The preferred option is to run servm_t with the full mcs range:
init_ranged_daemon_domain(servm_t, servm_exec_t, s0 - mcs_systemhigh)
(assumes that a init script runs the servm executable file that is
labeled type servm_exec_t)
Or you can:
"Make specified domain MCS trusted for setting any category set for the
processes it executes."
mcs_process_set_categories(servm_t)
Thanks,
Anamitra
On 10/15/12 9:57 AM, "Dominick Grift" <dominick.grift(a)gmail.com> wrote:
>
>
>On Mon, 2012-10-15 at 16:41 +0000, Anamitra Dutta Majumdar (anmajumd)
>wrote:
>> I am running into some denials that seem to be constraint violation as
>> follows
>>
>>
>> #!!!! This avc is a constraint violation. You will need to add an
>> attribute to either the source or target type to make it work.
>> #Contraint rule:
>> allow ssh_t ssh_home_t:dir create;
>>
>>
>> What does this mean and how do we address it?
>
>Would need to see the actual avc denial message to be able to suggest
>something
>
>> Any pointers would be appreciated.
>>
>> Thanks,
>> Anamitra
>>
>>
>>
>>
>> --
>> selinux mailing list
>> selinux(a)lists.fedoraproject.org
>>
https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
>--
>selinux mailing list
>selinux(a)lists.fedoraproject.org
>https://admin.fedoraproject.org/mailman/listinfo/selinux