From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Thu, 23 Apr 2009 08:54:43 -0400 Subject: [refpolicy] runcon cant really run(constraint issue?) In-Reply-To: <49F0618C.4080101@redhat.com> References: <49F0618C.4080101@redhat.com> Message-ID: <1240491283.19211.805.camel@gorn.columbia.tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Thu, 2009-04-23 at 08:39 -0400, Daniel J Walsh wrote: > On 04/22/2009 12:38 PM, Justin Mattock wrote: > > looking into using runcon > > it seems I'm confronted with an > > avc, that just keeps showing up: > > allow staff_t user_t:process { siginh rlimitinh transition noatsecure }; > > (even after adding this to the policy). > > > > What I'm doing is this: > > runcon name:user_r:user_t:s0-s0:c0.c255 firefox > > the initial role I'm in is staff_r(transitioning to user_r for > > firefox to run in) > > > > Does this seem like the right thing to do, > > or do I need to use newrole -r * > > for something like firefox? > > > I guess the correct question is what is your security goal. > > You are not currently allowed to transition from a staff_u user to a > user_r role. In order to make this happen you would need to use semange > to make sure your SELinux user "name" had both staff_r and user_r, and > then you would need to add a rule to policy that says staff_r can become > user_r. There is also a transition constraint when the role is changing. You have to be coming from a domain that is allowed to do role changing, such as newrole_t. User domains (except unconfined_t) are not allowed. -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150