[redhat-lspp] mls constraint issue in the java_t domain
Daniel J Walsh
dwalsh at redhat.com
Tue May 29 17:06:16 UTC 2007
Clarkson, Mike R (US SSA) wrote:
> I've got the following AVC denial message that I can't get past:
>
> type=AVC msg=audit(1180136666.749:225351): avc: denied { write } for
> pid=6603 comm="java" name="3" dev=devpts ino=5
> scontext=m252_u:system_r:java_t:s15:c0.c255
> tcontext=m252_u:object_r:devpts_t:s0 tclass=chr_file
>
> The corresponding output from audit2allow is:
>
> [root at m252ut5 foo]# audit2allow -i /var/log/audit/audit.log -l -v -r
>
> require {
> class chr_file write;
> class dir write;
> type devpts_t;
> type java_t;
> type tmp_t;
> role system_r;
> };
>
> allow java_t devpts_t:chr_file write;
> #TYPE=AVC MSG=audit(1180136666.749:225351): COMM="java"
> NAME="3" : write
> #TYPE=AVC MSG=audit(1180136666.749:225351): COMM="java"
> NAME="3" : write
> #TYPE=AVC MSG=audit(1180136666.749:225351): COMM="java"
> NAME="3" : write
> #TYPE=AVC MSG=audit(1180136666.749:225351): COMM="java"
> NAME="3" : write
> allow java_t tmp_t:dir write;
> #TYPE=AVC MSG=audit(1180136666.757:225352): COMM="java"
> NAME="hsperfdata_mbean" : write
>
>
> This is an mls constraint issue because if I use "runcon -l s0 ..." (or
> equivalently remove the runcon statement) rather than "runcon -l
> s15:c0.c255 ...", everything works fine.
>
> The two things that I would think are needed to allow this are:
> allow java_t devpts_t:chr_file write;
> mls_file_write_down(java_t)
> I've provided both of these. (I recognize that giving java_t write down
> privilege is not a good idea. This is just a temporary solution for demo
> purposes until we can get all of our domains set up properly.)
>
> Any ideas for what I need to do to get past this AVC denial?
>
>
The question is why is your pseudo terminal labeled devpts_t instead of
something like
staff_devpts_t. This is also a case where using newrole would be better
than runcon since newrole will change the context of the controlling
terminal.
> Thanks
>
>
> --
> redhat-lspp mailing list
> redhat-lspp at redhat.com
> https://www.redhat.com/mailman/listinfo/redhat-lspp
>
More information about the redhat-lspp
mailing list