On Mon, 2007-04-30 at 13:12 -0700, Clarkson, Mike R (US SSA) wrote:
Whenever I use runcon in my script, I get the error
“root:system_r:datalabeler_t:s0-s15:c0.c255 is not a valid context”,
regardless of the user, role, type, and mls level that I specify with
the runcon command. Infact, even when I specify the context that I’m
already running in with the runcon statement, I get the above error.
So for instance, if I run the script WITHOUT the runcon command, it
runs fine with the following security context (verified with a ps –efZ
command): root:system_r:datalabeler_t:s0-s15:c0.c255. But if I run the
script with a runcon statement that specifies the exact same user,
role, type, and mls level I get the error shown above.
(please disable html mail in your client when posting to public mail
lists)
Are you running in permissive mode? In permissive mode, SELinux will
allow policy-defined domain transitions to happen even if the context is
not fully valid but will still reject those contexts if explicitly
specified by an application (e.g. by runcon).
Make sure that you have authorized the context in your policy, e.g.
- is root authorized for system_r and for s0-s15:c0.c255 via a user
declaration?
- is system_r authorized for datalabeler_t via a role declaration?
I am using an selinux policy that I built as an mls policy off the
targeted policy.
I don't understand - why aren't you using the real MLS policy? And if
you want to use MLS, why aren't you following the work on redhat-lspp
list and using those packages?
--
Stephen Smalley
National Security Agency