Constraint violation AVC
Dominick Grift
dominick.grift at gmail.com
Thu Oct 18 22:21:27 UTC 2012
On Thu, 2012-10-18 at 21:51 +0000, Anamitra Dutta Majumdar (anmajumd)
wrote:
> Hi Dominick,
>
> Here it is
>
> type=AVC msg=audit(1350454530.626:73898): avc: denied { transition } for
> pid=11860 comm="sudo" path="/home/tomcat/tomcat_security_startup.sh"
> dev=sda2 ino=2523182 scontext=system_u:system_r:servm_t:s0
> tcontext=system_u:system_r:tomcatd_t:s0-s0:c0.c1023 tclass=process
Looks like a mcs constrained violation.
I believe you have two options.
The preferred option is to run servm_t with the full mcs range:
init_ranged_daemon_domain(servm_t, servm_exec_t, s0 - mcs_systemhigh)
(assumes that a init script runs the servm executable file that is
labeled type servm_exec_t)
Or you can:
"Make specified domain MCS trusted for setting any category set for the
processes it executes."
mcs_process_set_categories(servm_t)
>
> Thanks,
> Anamitra
>
> On 10/15/12 9:57 AM, "Dominick Grift" <dominick.grift at gmail.com> wrote:
>
> >
> >
> >On Mon, 2012-10-15 at 16:41 +0000, Anamitra Dutta Majumdar (anmajumd)
> >wrote:
> >> I am running into some denials that seem to be constraint violation as
> >> follows
> >>
> >>
> >> #!!!! This avc is a constraint violation. You will need to add an
> >> attribute to either the source or target type to make it work.
> >> #Contraint rule:
> >> allow ssh_t ssh_home_t:dir create;
> >>
> >>
> >> What does this mean and how do we address it?
> >
> >Would need to see the actual avc denial message to be able to suggest
> >something
> >
> >> Any pointers would be appreciated.
> >>
> >> Thanks,
> >> Anamitra
> >>
> >>
> >>
> >>
> >> --
> >> selinux mailing list
> >> selinux at lists.fedoraproject.org
> >> https://admin.fedoraproject.org/mailman/listinfo/selinux
> >
> >
> >--
> >selinux mailing list
> >selinux at lists.fedoraproject.org
> >https://admin.fedoraproject.org/mailman/listinfo/selinux
>
More information about the selinux
mailing list