Whenever I use runcon in my script, I get the error "root:system_r:datalabeler_t:s0-s15:c0.c255 is not a valid context", regardless of the user, role, type, and mls level that I specify with the runcon command. Infact, even when I specify the context that I'm already running in with the runcon statement, I get the above error. So for instance, if I run the script WITHOUT the runcon command, it runs fine with the following security context (verified with a ps -efZ command): root:system_r:datalabeler_t:s0-s15:c0.c255. But if I run the script with a runcon statement that specifies the exact same user, role, type, and mls level I get the error shown above.
My script runs in a domain named datalabeler_t (I don't have the problem when running a similar script in the unconfined_t domain). It kicks off a java process with the following line: java mls.SimulatedImport.SimulatedDataLabeler $argv[*]
When I add the runcon statement, I get the above error:
runcon -u root -r system_r -t datalabeler_t java mls.SimulatedImport.SimulatedDataLabeler $argv[*]
I am using an selinux policy that I built as an mls policy off the targeted policy.
Ultimately what I'd like to be able to do is to use the runcon statement to specify an mls level, but I need to get past this first.
Any help would be appreciated.
Thanks
On Mon, 2007-04-30 at 13:12 -0700, Clarkson, Mike R (US SSA) wrote:
Whenever I use runcon in my script, I get the error “root:system_r:datalabeler_t:s0-s15:c0.c255 is not a valid context”, regardless of the user, role, type, and mls level that I specify with the runcon command. Infact, even when I specify the context that I’m already running in with the runcon statement, I get the above error. So for instance, if I run the script WITHOUT the runcon command, it runs fine with the following security context (verified with a ps –efZ command): root:system_r:datalabeler_t:s0-s15:c0.c255. But if I run the script with a runcon statement that specifies the exact same user, role, type, and mls level I get the error shown above.
(please disable html mail in your client when posting to public mail lists)
Are you running in permissive mode? In permissive mode, SELinux will allow policy-defined domain transitions to happen even if the context is not fully valid but will still reject those contexts if explicitly specified by an application (e.g. by runcon).
Make sure that you have authorized the context in your policy, e.g. - is root authorized for system_r and for s0-s15:c0.c255 via a user declaration? - is system_r authorized for datalabeler_t via a role declaration?
I am using an selinux policy that I built as an mls policy off the targeted policy.
I don't understand - why aren't you using the real MLS policy? And if you want to use MLS, why aren't you following the work on redhat-lspp list and using those packages?
On Tue, 2007-05-01 at 10:17 -0400, Stephen Smalley wrote:
On Mon, 2007-04-30 at 13:12 -0700, Clarkson, Mike R (US SSA) wrote:
Whenever I use runcon in my script, I get the error “root:system_r:datalabeler_t:s0-s15:c0.c255 is not a valid context”, regardless of the user, role, type, and mls level that I specify with the runcon command. Infact, even when I specify the context that I’m already running in with the runcon statement, I get the above error. So for instance, if I run the script WITHOUT the runcon command, it runs fine with the following security context (verified with a ps –efZ command): root:system_r:datalabeler_t:s0-s15:c0.c255. But if I run the script with a runcon statement that specifies the exact same user, role, type, and mls level I get the error shown above.
(please disable html mail in your client when posting to public mail lists)
Are you running in permissive mode? In permissive mode, SELinux will allow policy-defined domain transitions to happen even if the context is not fully valid but will still reject those contexts if explicitly specified by an application (e.g. by runcon).
Make sure that you have authorized the context in your policy, e.g.
- is root authorized for system_r and for s0-s15:c0.c255 via a user
declaration?
- is system_r authorized for datalabeler_t via a role declaration?
To summarize the solution for the list (discussion went off-list), the problem in this case was lack of permission for the datalabeler_t domain to validate contexts (selinux_validate_context() refpolicy interface), resulting in runcon always failing to validate the context and reporting an invalid context. Likely should file a bug against coreutils for runcon to add strerror(errno) to the error message when security_check_context() fails so that we would see it as a Permission denied.
selinux@lists.fedoraproject.org
-
Clarkson, Mike R (US SSA) -
Stephen Smalley