using runcon -l s1

Daniel J Walsh dwalsh at redhat.com
Tue Apr 24 12:31:49 UTC 2007 

Clarkson, Mike R (US SSA) wrote:
>
> I am trying to figure out how to get “runcon –l s1” to work while 
> having selinux in enforcing mode. So far, I can only use the runcon 
> command successfully with selinux in permissive mode. Here is the 
> error I get when in enforcing mode:
>
> >runcon -l s1 ./SimulatedImport /home/m252/SimulatedImport/output/junk
>
> execvp: Permission denied
>
> My shell is running as root in the unconfined_t domain. Here is the 
> output of id –Z:
>
> root:system_r:unconfined_t:s0-s15:c0.c255
>
> The executable that I’m trying to run with runcon is 
> “SimulatedImport”. This is a very simple program which simply creates 
> a small text file. I have created a domain named “import_t” for this 
> program.
>
> I have an selinux policy that I built as an mls policy off the 
> targeted policy.
>
> When I run audit2allow I get the following:
>
> audit2allow -i /var/log/audit/audit.log -l -v -r
>
> require {
>
> class dir search;
>
> class file { getattr read };
>
> class process transition;
>
> type auditd_log_t;
>
> type unconfined_t;
>
> role system_r;
>
> };
>
> allow unconfined_t auditd_log_t:dir search;
>
> #TYPE=AVC MSG=audit(1177347232.381:45684): COMM="audit2allow" 
> NAME="audit" : search
>
> #TYPE=AVC MSG=audit(1177347344.098:45698): COMM="audit2allow" 
> NAME="audit" : search
>
> allow unconfined_t auditd_log_t:file { getattr read };
>
> #TYPE=AVC MSG=audit(1177347344.098:45699): COMM="audit2allow" 
> NAME="audit.log" : getattr
>
> #TYPE=AVC MSG=audit(1177347344.098:45698): COMM="audit2allow" 
> NAME="audit.log" : read
>
> allow unconfined_t self:process transition;
>
> #TYPE=AVC MSG=audit(1177347223.780:45683): COMM="runcon" 
> NAME="SimulatedImport" : transition
>
> Adding “allow unconfined_t self:process transition;” to my “import” 
> module seems to have no effect.
>
I think you are being prevented by a constraint of MLS

As a guess I would suggest trying:

mls_process_set_level(unconfined_t)
>
>
> Any help would be appreciated.
>
> Thanks,
>
> Mike
>
> ------------------------------------------------------------------------
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

More information about the selinux mailing list