SELinux Mailing List - NSA/CSS

Skip All Menus Skip Top Menu

Top Navigation Menus

Research Skip Research Menus Research Menu Security Enhanced Linux What's New Frequently Asked Questions Background Documents License Download Participating Mail List Archives Remaining Work Contributors Related Work Press Releases Information Assurance Research NIARL In-house Research Areas Mathematical Sciences Program Sabbaticals Computer & Information Sciences Research Technology Transfer Advanced Computing Advanced Mathematics Communications & Networking Information Processing Microelectronics Other Technologies Technology Fact Sheets Publications Related Links	Skip Search Box Searchbox SELinux Mailing List Re: pipefs issue This message: [ Message body ] [ More options ] Related messages: [ Next message ] [ Previous message ] [ In reply to ] [ Next in thread ] From: Christopher J. PeBenito <cpebenito_at_tresys.com> Date: Thu, 31 May 2007 12:29:41 +0000 On Wed, 2007-05-30 at 18:23 -0700, Clarkson, Mike R (US SSA) wrote: > I've got a java process running in the datalabeler_t domain at the s2 > mls level, which kicks off a c++ executable in the import_t domain. > > There appears to be some inter-process communication being set up using > pipefs between the parent and child process which is causing mls > constraint issues. I'm not familiar with pipefs and I'm not explicitly > creating this communication, either linux or java is implicitly creating > it for me. > > Is this configurable so that I can prevent the pipefs from being > created? Unnamed pipes are created on pipefs. My guess is that stdin/out/err are being redirected through a pipe. > Alternatively, can I satisfy the below AVC denial messages without > giving the import_t domain mlsfilereadup privilege? I don't mind giving > the datalabeler_t domain extra privileges like writedown or readup, but > I don't want to give the import_t domain those kind of mls privileges. You could dontaudit it. dontaudit import_t datalabeler_t:fifo_file { read write }; -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150 -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. Received on Thu 31 May 2007 - 08:30:50 EDT This message: [ Message body ] Next message: Christopher J. PeBenito: "Re: djbdns needs optional_policy" Previous message: Daniel J Walsh: "Re: djbdns needs optional_policy" In reply to: Clarkson, Mike R \(US SSA\): "pipefs issue" Next in thread: Stephen Smalley: "Re: pipefs issue" Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]
	Date Posted: Jan 15, 2009 \| Last Modified: Jan 15, 2009 \| Last Reviewed: Jan 15, 2009

bottom