MCS process transition and categories problem
Vince Le Port
vince.rafale at gmail.com
Tue Nov 18 16:36:07 UTC 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Dear all,
I am currently experiencing some trouble in modifying a process MCS
category.
Here is the problem:
I have got a user who is in s0:c1.c2
Then this user launches a process which thus runs in the same range
(s0:c1.c2)
A setcon() is made to move the context process into a restriction : s0:c1
By adding, a new allow rule thanks to a module, this step works great.
allow user_t self:process { setcurrent dyntransition };
Once in this restricted context, it seems impossible to run another
setcon(), in order to move into s0:c2 or return into the initial context
s0:c1.c2.
Here is the error launched by audit :
type=AVC msg=audit(1224638358.893:242): avc: denied { dyntransition }
for pid=26212 comm="prog" scontext=user_u:user_r:user_t:s0:c1
tcontext=user_u:user_r:user_t:s0:c2 tclass=process
Is it possible to add a rule which will allow the process to re-enter in
s0:c1.c2 context or to enter into s0:c2 from s0:c1 ?
Regards,
Vince
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFJIu73CkDrToteDh0RAj0KAKDOxJ+azZFToxlGAJx102Fpc7PxugCfawIB
cNDQr9UdmyiwGZxul3Jz1IA=
=9kOV
-----END PGP SIGNATURE-----
More information about the selinux
mailing list