[redhat-lspp] mls constraint issue in the java_t domain

Clarkson, Mike R (US SSA) mike.clarkson at baesystems.com
Tue May 29 22:42:54 UTC 2007


Thanks for the response.

I agree that using newrole would likely avoid this issue by relabeling
the the pty, but I'm really interested in understanding why providing
the following two things doesn't satisfy the security monitor:
	allow java_t devpts_t:chr_file write;
	mls_file_write_down(java_t)

I thought that because I have given the file write down privilege, I'd
be able to write to the pty with a lower mls level. I'd like to be able
to look at the audit log AVC messages and determine what rules are
needed. I thought I was getting there, but this one has thrown me for a
loop.

Can anyone explain why the above two rules don't satisfy the security
monitor with respect to the below AVC denial message?

Thanks

-----Original Message-----
From: Klaus Weidner [mailto:klaus at atsec.com] 
Sent: Tuesday, May 29, 2007 2:47 PM
To: Stephen Smalley
Cc: Clarkson, Mike R (US SSA); redhat-lspp at redhat.com
Subject: Re: [redhat-lspp] mls constraint issue in the java_t domain

On Tue, May 29, 2007 at 02:25:10PM -0400, Stephen Smalley wrote:
> On Fri, 2007-05-25 at 17:26 -0700, Clarkson, Mike R (US SSA) wrote:
> > I've got the following AVC denial message that I can't get past:
> > 
> > type=AVC msg=audit(1180136666.749:225351): avc:  denied  { write }
for
> > pid=6603 comm="java" name="3" dev=devpts ino=5
> > scontext=m252_u:system_r:java_t:s15:c0.c255
> > tcontext=m252_u:object_r:devpts_t:s0 tclass=chr_file
[...]
> > Any ideas for what I need to do to get past this AVC denial?
> 
> Use newrole -l, and it will relabel the pty for you.

If "newrole -l" doesn't work for you and it complains about an insecure
terminal, you can make that work (for demo purposes) by adding the type
of your terminal (as shown by "ls -lZ `tty`" to the
/etc/selinux/mls/contexts/securetty_types file.

-Klaus





More information about the redhat-lspp mailing list