runcon: invalid context

Tracy Reed treed at ultraviolet.org
Tue May 5 21:59:51 UTC 2015 

On Mon, May 04, 2015 at 12:15:16AM PDT, Miroslav Grepl spake thusly:
> You missed
> 
> role myapp_r types myapp_t;

Yep! That was it! Thank you very much! Now the runcon works as expected. Why
wouldn't that have caused an avc deny? This sort of thing is very hard to
troubleshoot if you don't know all the magic.

Now that the runcon and category etc are all working I am still tracking down
various TE issues. I get a number of things like this:

#!!!! This avc is allowed in the current policy
allow myapp_t bin_t:lnk_file getattr;

#!!!! This avc is allowed in the current policy
allow myapp_t boot_t:dir getattr;

Why is it telling me the avc is allowed in the current policy? I know it is allowed because I allowed it! :) 

I also notice that audit2allow -a is able to produce these messages even after
I do a cp /dev/null /var/log/audit/audit.log. How is that possible?

And then I have this:

#!!!! This avc is a constraint violation.  You will need to add an attribute to either the source or target type to make it work.
#Contraint rule: 
allow myapp_t self:process { siginh transition noatsecure rlimitinh };

I actually have a whole of of self related stuff which I suspect would benefit
from a type attribute if I knew which one:
allow myapp_t self:process { execmem siginh signull setexec setsched signal transition sigkill setpgid noatsecure rlimitinh };
allow myapp_t self:capability { setuid chown fsetid setgid fowner audit_write dac_override };
allow myapp_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
allow myapp_t self:netlink_audit_socket { nlmsg_relay create write };
allow myapp_t self:tcp_socket { write read setopt bind create getattr accept ioctl connect shutdown getopt listen };
allow myapp_t self:udp_socket { getattr ioctl create connect write read };
allow myapp_t self:unix_dgram_socket { create connect write };


-- 
Tracy Reed
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.fedoraproject.org/pipermail/selinux/attachments/20150505/2bbdbdea/attachment.sig>

More information about the selinux mailing list