I've got a java process running in the datalabeler_t domain at the s2 mls level, which kicks off a c++ executable in the import_t domain.

There appears to be some inter-process communication being set up using pipefs between the parent and child process which is causing mls constraint issues. I'm not familiar with pipefs and I'm not explicitly creating this communication, either linux or java is implicitly creating it for me.

Is this configurable so that I can prevent the pipefs from being created?

Alternatively, can I satisfy the below AVC denial messages without giving the import_t domain mlsfilereadup privilege? I don't mind giving the datalabeler_t domain extra privileges like writedown or readup, but I don't want to give the import_t domain those kind of mls privileges.

type=AVC msg=audit(1180552217.128:260021): avc: denied { read } for pid=2585 comm="SimulatedImport" name="[4155253]" dev=pipefs ino=4155253 scontext=m2_u:system_r:import_t:s1
tcontext=m2_u:system_r:datalabeler_t:s2-s15:c0.c255 tclass=fifo_file

type=AVC msg=audit(1180552217.128:260021): avc: denied { write } for pid=2585 comm="SimulatedImport" name="[4155252]" dev=pipefs ino=4155252 scontext=m2_u:system_r:import_t:s1
tcontext=m2_u:system_r:datalabeler_t:s2-s15:c0.c255 tclass=fifo_file

type=AVC msg=audit(1180552217.128:260021): avc: denied { write } for pid=2585 comm="SimulatedImport" name="[4155254]" dev=pipefs ino=4155254 scontext=m2_u:system_r:import_t:s1
tcontext=m2_u:system_r:datalabeler_t:s2-s15:c0.c255 tclass=fifo_file

Thanks

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.