[prev in list] [next in list] [prev in thread] [next in thread]
List: fedora-selinux-list
Subject: Re: transition from init_rc
From: Daniel J Walsh <dwalsh () redhat ! com>
Date: 2015-05-28 10:11:08
Message-ID: 5566E9BC.40108 () redhat ! com
[Download RAW message or body]
On 05/26/2015 05:05 AM, Tracy Reed wrote:
> I think I'm really close to having this policy finished and working, just a
> couple things to work out...
>
> When I exercise my app and then run audit2allow and it says:
>
> #!!!! This avc is a constraint violation. You will need to add an attribute to \
> either the source or target type to make it work. #Contraint rule:
> allow myapp_t default_t:dir search;
> allow myapp_t default_t:dir read;
> allow myapp_t default_t:file execmod;
> allow myapp_t myapp_bin_t:file write;
>
> does it mean only the first line is an constraint violation? Or are all of
> those constraint violations?
>
> How does one typically deal with constraint violations? By attribute above I
> suppose it means a type attribue but how do I know which one to add?
>
> Then I have these:
>
> #!!!! This avc is a constraint violation. You will need to add an attribute to \
> either the source or target type to make it work. #Contraint rule:
> allow initrc_t default_t:file relabelto;
>
> #!!!! This avc is a constraint violation. You will need to add an attribute to \
> either the source or target type to make it work. #Contraint rule:
> allow initrc_t myapp_api_t:file relabelto;
>
> The init script which starts the service relabels the files when the service
> starts. I suspect this is a bad idea and I'm not sure why they are doing it. I
> think they may be applying security categories here. We may have to find a
> different way to approach that.
>
> But how would I allow this if I wanted to?
>
> Similarly:
>
> #!!!! This avc is a constraint violation. You will need to add an attribute to \
> either the source or target type to make it work. #Contraint rule:
> allow setfiles_t default_t:file relabelfrom;
>
> #!!!! This avc is a constraint violation. You will need to add an attribute to \
> either the source or target type to make it work. #Contraint rule:
> allow setfiles_t myapp_api_t:file relabelfrom;
>
> etc...
>
> This is all on CentOS 6.5.
>
> Thanks!
>
The latest audit2allow gives you a little more information, when you get
a constraint violation you usually need to add an attribute to the
calling process type, to say it is ok to do the operation. Usually it
is related to the MLS/MCS Levels being different or changing the SELinux
user component of a label. If you attached the actual AVC message we
might be able to diagnose the problem. Having restorecon in an
initscript is not unusual.
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic