On Tue, 2007-05-01 at 15:38 -0700, Clarkson, Mike R (US SSA) wrote:
Stephen,
You were right. Adding selinux_validate_context(datalabeler_t) got me
past the problem and I started getting some useful acv denial messages
in the audit log. I can now successfully run my script using runcon as
follows:
"runcon -u root -r system_r -t datalabeler_t -l s0-s15:c0.c255
java mls.SimulatedImport.SimulatedDataLabeler $argv[*]"
However, if I try to specify a different mls level in the runcon
statement it doesn't work. It looks like it fails to kick off the java
process, or at least I can't see the java process running using ps.
The command I'm trying to use is this:
"runcon -u root -r system_r -t datalabeler_t -l s1 java
mls.SimulatedImport.SimulatedDataLabeler $argv[*]"
I'm not getting meaningful acv messages in the audit log. Audit2allow is
telling me I need to add allow statements to my policy that I already
have. I think that I'm probably violating some MLS constraint (I find
that audit2allow does not give me useful messages when the problem is
that an MLS constraint is being violated).
Do either of you have any ideas on what constraint I might be violating?
I already have "mls_process_set_level(datalabeler_t)" in my policy, and
"semanage user -l" and "semanage login -l" both show that root has
the
mls range of s0-s15:c0.c255.
(re-added fedora-selinux-list to cc line)
audit2allow -a -l should only process avc messages since your last
policy reload.
Is that runcon command running in the datalabeler_t domain already or in
a different domain (the caller domain)? If the former, why are you
specifying -r system_r -t datalabeler_t at all to runcon (vs. just the
components that are changing)? If the latter, then the caller domain
needs mls_process_set_level().
Also, you'd have to deal with other MLS-related issues, e.g. if you want
that java process to be able to write to your tty (at s0), you'd need to
give it mls_fd_use_all_levels() to inherit stdin/stdout/stderr and
mls_file_write_down() to write to the tty. But ideally you'd be using
newrole -l s1 instead and let it relabel the tty for you properly.
You may want to take further follow-ups to redhat-lspp list for
MLS-specific issues.
--
Stephen Smalley
National Security Agency