I want to manually run an app within a certain context. When I try running it like so I get the following error:
# id -Z unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 # runcon p16001_u:myapp_r:myapp_t:s0:c1 /myapp/startup.sh runcon: invalid context: p16001_u:myapp_r:myapp_t:s0:c1: Invalid argument
unconfined should be allowed to transition to any context, right? No AVC is generated so I don't think that's the issue. The user p16001_u exists with category c1, with role myapp_r and myapp_t exists in the policy. I'm unclear as to why this is an invalid context.
# semanage user -l
Labeling MLS/ MLS/ SELinux User Prefix MCS Level MCS Range SELinux Roles
git_shell_u user s0 s0 git_shell_r myapp_u user s0 s0-s0:c0.c1023 myapp_r guest_u user s0 s0 guest_r p16000_u user s0 s0-s0:c0 myapp_r p16001_u user s0 s0-s0:c1 myapp_r p16002_u user s0 s0-s0:c2 myapp_r p16003_u user s0 s0-s0:c3 myapp_r p16004_u user s0 s0-s0:c4 myapp_r p16005_u user s0 s0-s0:c5 myapp_r p16006_u user s0 s0-s0:c6 myapp_r p16007_u user s0 s0-s0:c7 myapp_r p16008_u user s0 s0-s0:c8 myapp_r p16009_u user s0 s0-s0:c9 myapp_r p16010_u user s0 s0-s0:c10 myapp_r root user s0 s0-s0:c0.c1023 staff_r sysadm_r system_r unconfined_r staff_u user s0 s0-s0:c0.c1023 staff_r sysadm_r system_r unconfined_r sysadm_u user s0 s0-s0:c0.c1023 sysadm_r system_u user s0 s0-s0:c0.c1023 system_r unconfined_r unconfined_u user s0 s0-s0:c0.c1023 system_r unconfined_r user_u user s0 s0 user_r xguest_u user s0 s0 xguest_r
Any tips greatly appreciated!
On Thu, Apr 30, 2015 at 12:21:38PM PDT, Tracy Reed spake thusly:
I want to manually run an app within a certain context. When I try running it
I should also point out that p16001_u:myapp_r:myapp_t:s0:c1 is all defined in a custom policy which I have written.
# runcon p16001_u:myapp_r:myapp_t:s0:c1 /myapp/startup.sh runcon: invalid context: p16001_u:myapp_r:myapp_t:s0:c1: Invalid argument
Unfortunately, SELinux doesn't tell me what part of any of this it is unhappy about.
Here is the entire policy:
It's a bit messy from all of the hacking I've done on it, especially fumbling around with transitions and everything. When what I expect should work doesn't work I started to try all kinds of things which shouldn't matter.
On 04/30/2015 11:55 PM, Tracy Reed wrote:
runcon p16001_u:myapp_r:myapp_t:s0:c1 /myapp/startup.sh
You missed
role myapp_r types myapp_t;
which will allow you to run runcon and have a transition to myapp_t. But then you get additional AVCs so I would add
domain_type(myapp_t)
at least.
On Mon, May 04, 2015 at 12:15:16AM PDT, Miroslav Grepl spake thusly:
You missed
role myapp_r types myapp_t;
Yep! That was it! Thank you very much! Now the runcon works as expected. Why wouldn't that have caused an avc deny? This sort of thing is very hard to troubleshoot if you don't know all the magic.
Now that the runcon and category etc are all working I am still tracking down various TE issues. I get a number of things like this:
#!!!! This avc is allowed in the current policy allow myapp_t bin_t:lnk_file getattr;
#!!!! This avc is allowed in the current policy allow myapp_t boot_t:dir getattr;
Why is it telling me the avc is allowed in the current policy? I know it is allowed because I allowed it! :)
I also notice that audit2allow -a is able to produce these messages even after I do a cp /dev/null /var/log/audit/audit.log. How is that possible?
And then I have this:
#!!!! This avc is a constraint violation. You will need to add an attribute to either the source or target type to make it work. #Contraint rule: allow myapp_t self:process { siginh transition noatsecure rlimitinh };
I actually have a whole of of self related stuff which I suspect would benefit from a type attribute if I knew which one: allow myapp_t self:process { execmem siginh signull setexec setsched signal transition sigkill setpgid noatsecure rlimitinh }; allow myapp_t self:capability { setuid chown fsetid setgid fowner audit_write dac_override }; allow myapp_t self:netlink_route_socket { bind create getattr nlmsg_read read write }; allow myapp_t self:netlink_audit_socket { nlmsg_relay create write }; allow myapp_t self:tcp_socket { write read setopt bind create getattr accept ioctl connect shutdown getopt listen }; allow myapp_t self:udp_socket { getattr ioctl create connect write read }; allow myapp_t self:unix_dgram_socket { create connect write };
selinux@lists.fedoraproject.org