I want to manually run an app within a certain context. When I try running it
like so I get the following error:
# id -Z
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
# runcon p16001_u:myapp_r:myapp_t:s0:c1 /myapp/startup.sh
runcon: invalid context: p16001_u:myapp_r:myapp_t:s0:c1: Invalid argument
unconfined should be allowed to transition to any context, right? No AVC is
generated so I don't think that's the issue. The user p16001_u exists with
category c1, with role myapp_r and myapp_t exists in the policy. I'm unclear as
to why this is an invalid context.
# semanage user -l
Labeling MLS/ MLS/
SELinux User Prefix MCS Level MCS Range SELinux Roles
git_shell_u user s0 s0 git_shell_r
myapp_u user s0 s0-s0:c0.c1023 myapp_r
guest_u user s0 s0 guest_r
p16000_u user s0 s0-s0:c0 myapp_r
p16001_u user s0 s0-s0:c1 myapp_r
p16002_u user s0 s0-s0:c2 myapp_r
p16003_u user s0 s0-s0:c3 myapp_r
p16004_u user s0 s0-s0:c4 myapp_r
p16005_u user s0 s0-s0:c5 myapp_r
p16006_u user s0 s0-s0:c6 myapp_r
p16007_u user s0 s0-s0:c7 myapp_r
p16008_u user s0 s0-s0:c8 myapp_r
p16009_u user s0 s0-s0:c9 myapp_r
p16010_u user s0 s0-s0:c10 myapp_r
root user s0 s0-s0:c0.c1023 staff_r sysadm_r
system_r unconfined_r
staff_u user s0 s0-s0:c0.c1023 staff_r sysadm_r
system_r unconfined_r
sysadm_u user s0 s0-s0:c0.c1023 sysadm_r
system_u user s0 s0-s0:c0.c1023 system_r
unconfined_r
unconfined_u user s0 s0-s0:c0.c1023 system_r
unconfined_r
user_u user s0 s0 user_r
xguest_u user s0 s0 xguest_r
Any tips greatly appreciated!
--
Tracy Reed