[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: more avc denials

From: Stephen Smalley <sds tycho nsa gov>
To: Michael Thomas <wart kobold org>
Cc: "Fedora list for users & developers. SELinux support" <fedora-selinux-list redhat com>
Subject: Re: more avc denials
Date: Wed, 16 Jan 2008 13:08:58 -0500

On Wed, 2008-01-16 at 12:05 -0500, Michael Thomas wrote:
> While testing some changes to the cyphesis selinux module in Rawhide, I 
> started getting the following denials:
> 
> type=AVC msg=audit(1200547499.303:66): avc:  denied  { write } for 
> pid=2722 comm="cyphesis" name="context" dev=selinuxfs ino=5 
> scontext=unconfined_u:system_r:cyphesis_t:s0 
> tcontext=system_u:object_r:security_t:s0 tclass=file
> type=AVC msg=audit(1200547499.303:67): avc:  denied  { check_context } 
> for  pid=2722 comm="cyphesis" 
> scontext=unconfined_u:system_r:cyphesis_t:s0 
> tcontext=system_u:object_r:security_t:s0 tclass=security
> 
> What would cause these?

That suggests that cyphesis is invoking a libselinux function that is
validating a security context (by writing to /selinux/context).  

Would be allowed by selinux_validate_context(cyphesis_t), if using
refpolicy interfaces and building via make
-f /usr/share/selinux/devel/Makefile.

-- 
Stephen Smalley
National Security Agency

References:
- more avc denials
  - From: Michael Thomas

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]