From: dwalsh@redhat.com (Daniel J Walsh) Date: Thu, 23 Apr 2009 08:39:40 -0400 Subject: [refpolicy] runcon cant really run(constraint issue?) In-Reply-To: References: Message-ID: <49F0618C.4080101@redhat.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 04/22/2009 12:38 PM, Justin Mattock wrote: > looking into using runcon > it seems I'm confronted with an > avc, that just keeps showing up: > allow staff_t user_t:process { siginh rlimitinh transition noatsecure }; > (even after adding this to the policy). > > What I'm doing is this: > runcon name:user_r:user_t:s0-s0:c0.c255 firefox > the initial role I'm in is staff_r(transitioning to user_r for > firefox to run in) > > Does this seem like the right thing to do, > or do I need to use newrole -r * > for something like firefox? > I guess the correct question is what is your security goal. You are not currently allowed to transition from a staff_u user to a user_r role. In order to make this happen you would need to use semange to make sure your SELinux user "name" had both staff_r and user_r, and then you would need to add a rule to policy that says staff_r can become user_r. But transitioning to the new role is probably not what you want. If your goal is to confine firefox. you would be better off using the mozilla policy to say when a staff_t type executes mozilla_exec_t it runs as staff_mozilla_t. name:staff_r:staff_t -> system_u:object_r:mozilla_exec_t -> name:staff_r:staff_mozilla_t Confining mozilla/firefox has a whole bunch of other problems...