From: Christopher J. PeBenito <cpebenito_at_tresys.com>
Date: Mon, 24 Sep 2007 12:44:02 +0000

On Sat, 2007-09-22 at 17:05 -0700, Clarkson, Mike R (US SSA) wrote:
> I have a java process running in a domain named frontgate_t, which reads
> files and determines the correct classification/compartment level of the
> file based upon its contents. The java process then relabels the file to
> the correct level using "chcon -l ...". It can both upgrade or downgrade
> the level of the file
>
> I'm getting file relabelfrom and relabelto denials in the audit log that
> I can't get past. I've provided the allow rule indicated by audit2allow.
> At first I thought this was an mls constraint issue. I expect that the
> following mls privileges would be required:
> mls_file_upgrade(frontgate_t)
> mls_file_downgrade(frontgate_t)
> mls_context_translate_all_levels(frontgate_t) (maybe needed??)
>
> I provided all of these, and then progressively added more and more mls
> privileges until I had provided them all. Next, I gutted the mls file
> that contains all of the mls constraints to once and for all convince
> myself that this wasn't an mls constraint issue.
>

> avc: denied { relabelfrom }

[...]
> scontext=m252_u:system_r:frontgate_t:s4:c0.c255

           ^^^^^^


> tcontext=root:object_r:import_datasources_t:s4:c10

           ^^^^

You hit the SELinux user identity equality constraint: m252_u != root. You would need domain_obj_id_change_exemption(frontgate_t) to make this work. Or, run in system_u:system_r:frontgate_t:s4:c0.c255.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Received on Mon 24 Sep 2007 - 08:45:59 EDT