I have nanaged to get the daemon working with the full mcs range, but it can not run a shell program under a particular category with runcon, what special priviledges are neccessary for an app to use runcon?
this is the error message when the app calls a shell command with runcon
/bin/runcon: invalid context: system_u:system_r:myapp_t:s0:c370,c606: Permission denied
after attempting to do this:
/bin/runcon -l s0:c370,c606 /path/to/app input
the daemon itself runs in the following context:
system_u:system_r:myapp_t:s0-s0:c0.c1023 myapp 7542 0.2 0.0 909660 60 ? Ssl 01:06 0:14
here is the policy
policy_module(myapp, 1.0.0)
########################################
#
# Declarations
#
require {
type init_t;
type initrc_t;
type systemd_unit_file_t ;
type urandom_device_t ;
type etc_runtime_t ;
type proc_t;
type bin_t;
type tmp_t;
type user_home_dir_t;
type user_home_t;
type net_conf_t;
type ldconfig_exec_t;
type mongod_port_t;
type unreserved_port_t;
type http_cache_port_t;
type http_port_t;
type sandbox_file_t;
type node_t ;
type shell_exec_t ;
type bin_t ;
type default_t ;
type usr_t ;
type root_t ;
type security_t ;
type unlabeled_t ;
}
type myapp_t;
type myapp_exec_t;
init_daemon_domain(myapp_t,myapp_exec_t);
ifdef(`enable_mcs',`
init_ranged_daemon_domain(myapp_t,myapp_exec_t,s0 - mcs_systemhigh);
')
systemd_unit_file(systemd_unit_file_t) ;
########################################
allow myapp_t self:fifo_file rw_fifo_file_perms;
allow myapp_t self:unix_stream_socket create_stream_socket_perms;
allow myapp_t self:process { signal transition setexec };
allow myapp_t etc_runtime_t:file { read getattr open ioctl execute};
allow myapp_t proc_t:file { read open};
allow myapp_t bin_t:dir { write add_name create };
allow myapp_t bin_t:file { execute execute_no_trans read open getattr ioctl };
allow myapp_t proc_t:file getattr;
allow myapp_t tmp_t:dir {write add_name};
allow myapp_t tmp_t:file {write open create};
allow myapp_t ldconfig_exec_t:file {execute read open execute_no_trans};
allow myapp_t net_conf_t:file { read open getattr ioctl};
allow myapp_t mongod_port_t:tcp_socket name_connect;
allow myapp_t unreserved_port_t:tcp_socket {name_bind create setopt connect getattr getopt write read bind append};
allow myapp_t node_t:tcp_socket {node_bind };
allow myapp_t http_cache_port_t:tcp_socket { name_connect create setopt connect getattr getopt write read bind append };
allow myapp_t http_port_t:tcp_socket { name_connect };
allow myapp_t sandbox_file_t:dir { search getattr read open write add_name create };
allow myapp_t sandbox_file_t:file { read open getattr ioctl create write relabelfrom relabelto };
allow myapp_t sandbox_file_t:dir { relabelfrom relabelto };
allow myapp_t shell_exec_t:file { execute execute_no_trans };
allow myapp_t default_t:dir { search read getattr write };
allow myapp_t default_t:file { read getattr open execute execute_no_trans ioctl };
allow myapp_t default_t:lnk_file read;
allow myapp_t root_t:dir { write search read getattr add_name create relabelfrom } ;
allow myapp_t root_t:file { write read getattr create open ioctl relabelfrom } ;
allow myapp_t security_t:file write;
allow myapp_t security_t:security check_context;
allow myapp_t usr_t:file { execute entrypoint read getattr create open ioctl };
allow unlabeled_t root_t:dir search;
allow myapp_t self:tcp_socket { create setopt connect getattr getopt write read bind append listen accept};
allow myapp_t self:udp_socket { create connect getattr getopt setopt write read bind append listen accept };
domain_use_interactive_fds(myapp_t)
#files_read_etc_files(myapp_t)
#miscfiles_read_localization(myapp_t)
#!!!! This avc can be allowed using the boolean 'global_ssp'
allow myapp_t urandom_device_t:chr_file {read open};