Why does my confined application fail to start?

[Daniel J Walsh]

On 09/02/2014 10:54 AM, Göran Uddeborg wrote:
> I'm trying to create a module for the Net ID electronic identification
> system used in Sweden.  With the standard policy, this does not work
> with SELinux enabled, but works fine in permissive mode.
>
> Net ID works as a plugin to Firefox.  The plugin starts a separate
> program "iid".  This program needs access to some files in the user's
> home directory, and also to open a graphical window for reading a
> passphrase and the like.
>
> My idea was create a specific domain for this program, and try to
> allow this domain as little as necessary.  I'm working with this in
> permissive mode, trying check what it tries to do, and trying to find
> the correct M4 macros to enable it.
>
> One thing confuses me.  If I try to run the same thing in enforcing
> mode, the application doesn't come up at all.  That's not surprising,
> the new policy isn't finished yet.
>
> But what IS surprising is I don't get any AVC telling me why.  Even if
> I rebuld with "semodule -DB" I only get a couple of comments about the
> plugin-container not being allowed to read/write an unix_stream_socket
> with the type xdm_t.  As I understand it, that is unrelated and
> normally dontaudited.
>
> But then, why don't I get any AVC:s?  What is blocking without
> telling?
>
> For reference, I attach the policy so far as I've come.  But note that
> it is not under development.  (But comments on mistakes I've made and
> other suggestions are welcome in any case! :-)
>
>
>
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
Look for SELINUX_ERR, I believe you have a RBAC problem.

You need to add something like

role unconfined_r types netid_t


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/selinux/attachments/20140902/d3e8d41f/attachment.html>