You are probably missing a domain type transition.
running the following command you can see if unconfined_t has a domain
type transition defined when it runs executable files with type
CZtp_exec_t:
sesearch -SCT --allow -s unconfined_t -t CZtp_exec_t
if none is specified then you must specify that your calling domain
unconfined_t, domain type transitions to CZtp_t when a file with type
CZtp_exec_t is executed.
You will also need to allow the unconfined_r role the CZtp_t domain.
After that you may want to allow unconfined_t to interact with CZtp_t in
other ways as well but at least by then the type transition should
happen.
The policy:
gen_require(` type unconfined_t, CZtp_exec_t, CZtp_t; role unconfined_r;
')
domtrans_pattern(unconfined_t, CZtp_exec_t, CZtp_t)
role unconfined_r types CZtp_t;
On Sat, 2011-07-23 at 20:32 +0200, Michael Atighetchi wrote:
Hi,
I'm trying to create a new policy for a constrained process (started by
an unconstrainted user) and am stuck trying to get the process started
in the right context.
Here are the steps I followed:
0. confirm SELinux status
[proxyuser@lime ~]$ sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: permissive
Mode from config file: permissive
Policy version: 24
Policy from config file: targeted
[proxyuser@lime ~]$ cat /etc/redhat-release
Fedora release 14 (Laughlin)
[proxyuser@lime cz]$ id -Z
unconfined_u:unconfined_r:unconfined_t:s0
1. create policy via
sepolgen -t 3 /home/proxyuser/trunk/aps-base/crumple-zone/target/CZtp
Note that CZtp is a shell script which in turn calls the JVM.
[proxyuser@lime cz]$ sudo ./CZtp.sh
Building and Loading Policy
+ make -f /usr/share/selinux/devel/Makefile
make: Nothing to be done for `all'.
+ /usr/sbin/semodule -i CZtp.pp
+ /sbin/restorecon -F -R -v
/home/proxyuser/trunk/aps-base/crumple-zone/target/CZtp
/sbin/restorecon reset
/home/proxyuser/trunk/aps-base/crumple-zone/target/CZtp context
system_u:system_r:CZtp_exec_t:s0->system_u:object_r:CZtp_exec_t:s0
2. Verify that the the CZtp file is labeled properly:
[proxyuser@lime cz]$ ls -lZ
/home/proxyuser/trunk/aps-base/crumple-zone/target/CZtp
-rwxr-xr-x. proxyuser proxyuser system_u:object_r:CZtp_exec_t:s0
/home/proxyuser/trunk/aps-base/crumple-zone/target/CZtp
3. start process
[proxyuser@lime cz]$ cd /home/proxyuser/trunk/aps-base/crumple-zone/target/
[proxyuser@lime target]$ ./CZtp
4. Verify process context
[proxyuser@lime ~]$ ps -efZ | grep -v grep | grep CZtp
unconfined_u:unconfined_r:unconfined_t:s0 501 5789 5734 0 14:22 pts/0
00:00:00 /bin/sh ./CZtp
Note that the process shows up as unconfined_t, although it was labeled
with CZtp_exec_t.
What am I missing?
4. check process context