constraints

Shintaro Fujiwara shintaro.fujiwara at gmail.com
Tue Jun 30 12:49:28 UTC 2009 

Thanks, Dominick.

I added

domain_system_change_exemption(segatex_t)

to segatex.te

and, worked fine.

Thanks !!

2009/6/30 Dominick Grift <domg472 at gmail.com>:
> On Tue, 2009-06-30 at 20:29 +0900, Shintaro Fujiwara wrote:
>> Hi, I want to yum install or update from certain domain (segatex_t),
>> but although I set segatex.te right permission even I dontaudit
>> disabled in vain.
>> So, I followed Mr. Walsh lecture, asking audit2why.
>>
>> I still don't know how to solve the problem so please help.
>>
>> [root at notepc ~]# audit2why -i /var/log/audit/audit.log
>> type=AVC msg=audit(1246361092.291:17): avc:  denied  { transition }
>> for  pid=3116 comm="segatex" path="/usr/bin/yum" dev=dm-0 ino=594330
>> scontext=unconfined_u:unconfined_r:segatex_t:s0
>> tcontext=unconfined_u:system_r:rpm_t:s0 tclass=process
>>
>>       Was caused by:
>>               Policy constraint violation.
>>
>>               May require adding a type attribute to the domain or type to satisfy
>> the constraint.
>>
>>               Constraints are defined in the policy sources in policy/constraints
>> (general), policy/mcs (MCS), and policy/mls (MLS).
>>
>> type=AVC msg=audit(1246361092.303:18): avc:  denied  { transition }
>> for  pid=3117 comm="segatex" path="/usr/bin/yum" dev=dm-0 ino=594330
>> scontext=unconfined_u:unconfined_r:segatex_t:s0
>> tcontext=unconfined_u:system_r:rpm_t:s0 tclass=process
>>
>>       Was caused by:
>>               Policy constraint violation.
>>
>>               May require adding a type attribute to the domain or type to satisfy
>> the constraint.
>>
>>               Constraints are defined in the policy sources in policy/constraints
>> (general), policy/mcs (MCS), and policy/mls (MLS).
>>
>
> I am not sure about this but looking at the rpm_run() and
> rpm_transition_script() interfaces, i suspect this may be related:
>
>        domain_system_change_exemption(segatex_t)
>        role_transition unconfined_r rpm_exec_t system_r;
>        allow unconfined_r system_r;
>
>
>



-- 
http://intrajp.no-ip.com/ Home Page

More information about the fedora-selinux-list mailing list