about selinux_validate_context
Daniel J Walsh
dwalsh at redhat.com
Tue May 4 16:52:56 UTC 2010
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 05/04/2010 12:40 PM, Sandra Rueda wrote:
> Hello,
>
> I am getting the following rule in my SELinux policy:
> allow user_t security_t:file {read write};
>
> I traced it and I found the interface selinux_validate_context grants permissions to read and write files with type security_t.
> Are these permissions required to validate a security context?
> Should they be granted to user_t?
>
> Thanks,
> Sandra
>
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
The way a security context is validated is by writing to the
/security/context kernel interface. Which would generate this AVC. If
you want the user_t user to be able to validate a context, then you need
this interface.
A better solution would probably be to write policy for the application
that the user is executing that needs to validate policy and allow this
the access.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkvgUOgACgkQrlYvE4MpobNSxwCg1lWRxrTE/x/shfZJ04BNXJE3
2WwAoI/b5LZbIrhGkz4fNLLeWeFQFUmS
=5QKI
-----END PGP SIGNATURE-----
More information about the selinux
mailing list