On Tue, 2007-05-29 at 15:42 -0700, Clarkson, Mike R (US SSA) wrote: > Thanks for the response. > > I agree that using newrole would likely avoid this issue by relabeling > the the pty, but I'm really interested in understanding why providing > the following two things doesn't satisfy the security monitor: > allow java_t devpts_t:chr_file write; > mls_file_write_down(java_t) > > I thought that because I have given the file write down privilege, I'd > be able to write to the pty with a lower mls level. I'd like to be able > to look at the audit log AVC messages and determine what rules are > needed. I thought I was getting there, but this one has thrown me for a > loop. > > Can anyone explain why the above two rules don't satisfy the security > monitor with respect to the below AVC denial message?
Not offhand. Can you send me (off-list) a tar.bz2 file containing your /etc/selinux/mls directory (or whatever policy you are actively using, as defined by your /etc/selinux/config SELINUXTYPE= definition). > > Thanks > > -----Original Message----- > From: Klaus Weidner [mailto:[EMAIL PROTECTED] > Sent: Tuesday, May 29, 2007 2:47 PM > To: Stephen Smalley > Cc: Clarkson, Mike R (US SSA); [email protected] > Subject: Re: [redhat-lspp] mls constraint issue in the java_t domain > > On Tue, May 29, 2007 at 02:25:10PM -0400, Stephen Smalley wrote: > > On Fri, 2007-05-25 at 17:26 -0700, Clarkson, Mike R (US SSA) wrote: > > > I've got the following AVC denial message that I can't get past: > > > > > > type=AVC msg=audit(1180136666.749:225351): avc: denied { write } > for > > > pid=6603 comm="java" name="3" dev=devpts ino=5 > > > scontext=m252_u:system_r:java_t:s15:c0.c255 > > > tcontext=m252_u:object_r:devpts_t:s0 tclass=chr_file > [...] > > > Any ideas for what I need to do to get past this AVC denial? > > > > Use newrole -l, and it will relabel the pty for you. > > If "newrole -l" doesn't work for you and it complains about an insecure > terminal, you can make that work (for demo purposes) by adding the type > of your terminal (as shown by "ls -lZ `tty`" to the > /etc/selinux/mls/contexts/securetty_types file. > > -Klaus > -- Stephen Smalley National Security Agency -- redhat-lspp mailing list [email protected] https://www.redhat.com/mailman/listinfo/redhat-lspp
