On Tue, 2007-05-01 at 10:17 -0400, Stephen Smalley wrote:
On Mon, 2007-04-30 at 13:12 -0700, Clarkson, Mike R (US SSA) wrote:
> Whenever I use runcon in my script, I get the error
> “root:system_r:datalabeler_t:s0-s15:c0.c255 is not a valid context”,
> regardless of the user, role, type, and mls level that I specify with
> the runcon command. Infact, even when I specify the context that I’m
> already running in with the runcon statement, I get the above error.
> So for instance, if I run the script WITHOUT the runcon command, it
> runs fine with the following security context (verified with a ps –efZ
> command): root:system_r:datalabeler_t:s0-s15:c0.c255. But if I run the
> script with a runcon statement that specifies the exact same user,
> role, type, and mls level I get the error shown above.
(please disable html mail in your client when posting to public mail
lists)
Are you running in permissive mode? In permissive mode, SELinux will
allow policy-defined domain transitions to happen even if the context is
not fully valid but will still reject those contexts if explicitly
specified by an application (e.g. by runcon).
Make sure that you have authorized the context in your policy, e.g.
- is root authorized for system_r and for s0-s15:c0.c255 via a user
declaration?
- is system_r authorized for datalabeler_t via a role declaration?
To summarize the solution for the list (discussion went off-list), the
problem in this case was lack of permission for the datalabeler_t domain
to validate contexts (selinux_validate_context() refpolicy interface),
resulting in runcon always failing to validate the context and reporting
an invalid context. Likely should file a bug against coreutils for
runcon to add strerror(errno) to the error message when
security_check_context() fails so that we would see it as a Permission
denied.
--
Stephen Smalley
National Security Agency