On Wed, 2008-01-16 at 12:05 -0500, Michael Thomas wrote:
While testing some changes to the cyphesis selinux module in Rawhide,
I
started getting the following denials:
type=AVC msg=audit(1200547499.303:66): avc: denied { write } for
pid=2722 comm="cyphesis" name="context" dev=selinuxfs ino=5
scontext=unconfined_u:system_r:cyphesis_t:s0
tcontext=system_u:object_r:security_t:s0 tclass=file
type=AVC msg=audit(1200547499.303:67): avc: denied { check_context }
for pid=2722 comm="cyphesis"
scontext=unconfined_u:system_r:cyphesis_t:s0
tcontext=system_u:object_r:security_t:s0 tclass=security
What would cause these?
That suggests that cyphesis is invoking a libselinux function that is
validating a security context (by writing to /selinux/context).
Would be allowed by selinux_validate_context(cyphesis_t), if using
refpolicy interfaces and building via make
-f /usr/share/selinux/devel/Makefile.
--
Stephen Smalley
National Security Agency