using runcon -l s1
Clarkson, Mike R (US SSA)
mike.clarkson at baesystems.com
Mon Apr 23 17:22:11 UTC 2007
I am trying to figure out how to get "runcon -l s1" to work while having
selinux in enforcing mode. So far, I can only use the runcon command
successfully with selinux in permissive mode. Here is the error I get
when in enforcing mode:
>runcon -l s1 ./SimulatedImport /home/m252/SimulatedImport/output/junk
execvp: Permission denied
My shell is running as root in the unconfined_t domain. Here is the
output of id -Z:
root:system_r:unconfined_t:s0-s15:c0.c255
The executable that I'm trying to run with runcon is "SimulatedImport".
This is a very simple program which simply creates a small text file. I
have created a domain named "import_t" for this program.
I have an selinux policy that I built as an mls policy off the targeted
policy.
When I run audit2allow I get the following:
audit2allow -i /var/log/audit/audit.log -l -v -r
require {
class dir search;
class file { getattr read };
class process transition;
type auditd_log_t;
type unconfined_t;
role system_r;
};
allow unconfined_t auditd_log_t:dir search;
#TYPE=AVC MSG=audit(1177347232.381:45684): COMM="audit2allow"
NAME="audit" : search
#TYPE=AVC MSG=audit(1177347344.098:45698): COMM="audit2allow"
NAME="audit" : search
allow unconfined_t auditd_log_t:file { getattr read };
#TYPE=AVC MSG=audit(1177347344.098:45699): COMM="audit2allow"
NAME="audit.log" : getattr
#TYPE=AVC MSG=audit(1177347344.098:45698): COMM="audit2allow"
NAME="audit.log" : read
allow unconfined_t self:process transition;
#TYPE=AVC MSG=audit(1177347223.780:45683): COMM="runcon"
NAME="SimulatedImport" : transition
Adding "allow unconfined_t self:process transition;" to my "import"
module seems to have no effect.
Any help would be appreciated.
Thanks,
Mike
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.fedoraproject.org/pipermail/selinux/attachments/20070423/f6255682/attachment.html
More information about the selinux
mailing list