how to run setsebool -P in chroot?

2015-09-18 Thread Bond Masuda
Hello, I'm trying to run setsebool in a chroot environment like: chroot /mnt/test /usr/sbin/setsebool -P antivirus_can_scan_system 1 But I get: setsebool: SELinux is disabled. I'm guessing this is because the environment is not running. Is there a way around this? I need to be able to set s

Re: [PATCH v2] selinux: do not check open perm on ftruncate call

2015-09-18 Thread Stephen Smalley
On 09/18/2015 03:39 PM, Jeff Vander Stoep wrote: > Use the ATTR_FILE attribute to distinguish between truncate() > and ftruncate() system calls. The two other cases where > do_truncate is called with a filp (and therefore ATTR_FILE is set) > are for coredump files and for open(O_TRUNC). In both of

[PATCH v2] selinux: do not check open perm on ftruncate call

2015-09-18 Thread Jeff Vander Stoep
Use the ATTR_FILE attribute to distinguish between truncate() and ftruncate() system calls. The two other cases where do_truncate is called with a filp (and therefore ATTR_FILE is set) are for coredump files and for open(O_TRUNC). In both of those cases the open permission has already been checked

[PATCH] selinux: do not check open perm on ftruncate call

2015-09-18 Thread Jeff Vander Stoep
Use the ATTR_FILE attribute to distinguish between truncate() and ftruncate() system calls. The two other cases where do_truncate is called with a filp (and therefore ATTR_FILE is set), are for coredump files and for open(O_TRUNC). In both of those cases the open permission has already been checked

Re: remove unconfined user

2015-09-18 Thread Miroslav Grepl
On 09/16/2015 11:00 AM, Divya Vyas wrote: > Hi, > > I am running a minimum policy with unconfined policy > > id -Z > unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 > > This leads to my http process running to unconfined type > > ps -efZ | grep http > unconfined_u:unconfined_r:unconfined

Re: http process running as initrc_t

2015-09-18 Thread Miroslav Grepl
On 09/16/2015 10:31 PM, Divya Vyas wrote: > Hi, > > run_init /usr/sbin/httpd -k start > > leads to > system_u:system_r:initrc_t:s0 root 3977 1 0 19:57 ? > 00:00:00 /usr/sbin/httpd -k start Which is correct. run_init runs a script with a context defined in /etc/selinux/POLICYT

Re: [PATCH v3 2/7] userns: Simpilify MNT_NODEV handling.

2015-09-18 Thread Andy Lutomirski
On Sep 16, 2015 6:01 PM, "Eric W. Biederman" wrote: > > Andy Lutomirski writes: > > > On Wed, Sep 16, 2015 at 1:02 PM, Seth Forshee > > wrote: > >> From: "Eric W. Biederman" > >> > >> - Consolidate the testing if a device node may be opened in a new > >> function may_open_dev. > >> > >> - Mov