[redhat-lspp] mls constraint issue in the java_t domain

Stephen Smalley sds at tycho.nsa.gov
Wed May 30 17:09:38 UTC 2007 

On Tue, 2007-05-29 at 15:42 -0700, Clarkson, Mike R (US SSA) wrote:
> Thanks for the response.
> 
> I agree that using newrole would likely avoid this issue by relabeling
> the the pty, but I'm really interested in understanding why providing
> the following two things doesn't satisfy the security monitor:
> 	allow java_t devpts_t:chr_file write;
> 	mls_file_write_down(java_t)
> 
> I thought that because I have given the file write down privilege, I'd
> be able to write to the pty with a lower mls level. I'd like to be able
> to look at the audit log AVC messages and determine what rules are
> needed. I thought I was getting there, but this one has thrown me for a
> loop.
> 
> Can anyone explain why the above two rules don't satisfy the security
> monitor with respect to the below AVC denial message?

Not offhand.  Can you send me (off-list) a tar.bz2 file containing
your /etc/selinux/mls directory (or whatever policy you are actively
using, as defined by your /etc/selinux/config SELINUXTYPE= definition).

> 
> Thanks
> 
> -----Original Message-----
> From: Klaus Weidner [mailto:klaus at atsec.com] 
> Sent: Tuesday, May 29, 2007 2:47 PM
> To: Stephen Smalley
> Cc: Clarkson, Mike R (US SSA); redhat-lspp at redhat.com
> Subject: Re: [redhat-lspp] mls constraint issue in the java_t domain
> 
> On Tue, May 29, 2007 at 02:25:10PM -0400, Stephen Smalley wrote:
> > On Fri, 2007-05-25 at 17:26 -0700, Clarkson, Mike R (US SSA) wrote:
> > > I've got the following AVC denial message that I can't get past:
> > > 
> > > type=AVC msg=audit(1180136666.749:225351): avc:  denied  { write }
> for
> > > pid=6603 comm="java" name="3" dev=devpts ino=5
> > > scontext=m252_u:system_r:java_t:s15:c0.c255
> > > tcontext=m252_u:object_r:devpts_t:s0 tclass=chr_file
> [...]
> > > Any ideas for what I need to do to get past this AVC denial?
> > 
> > Use newrole -l, and it will relabel the pty for you.
> 
> If "newrole -l" doesn't work for you and it complains about an insecure
> terminal, you can make that work (for demo purposes) by adding the type
> of your terminal (as shown by "ls -lZ `tty`" to the
> /etc/selinux/mls/contexts/securetty_types file.
> 
> -Klaus
> 
-- 
Stephen Smalley
National Security Agency

More information about the redhat-lspp mailing list