On Mon, Apr 17, 2017 at 05:02:14PM -0500, Ian Pilcher wrote:
> I am having a weird problem writing a policy for a service. The service
> needs to set SELinux file contexts, so I've created a rule to allow
> this:
>
> allow acme_nss_t cert_t : file { read write create getattr setattr
> relabelfrom relabelto open } ;
>
> Despite this, I am still getting this denial:
>
> avc: denied { relabelto } for pid=3561 comm="update-mod-nss"
> name="cert8.db" dev="dm-0" ino=50343845
> scontext=system_u:system_r:acme_nss_t:s0
> tcontext=unconfined_u:object_r:cert_t:s0 tclass=file
>
> Any ideas?acme_nss_t needs to be associate with "can_change_object_identity" to be able to change the object identity from system_u to unconfined_u typeattribute acme_nss_t can_change_object_identity; or the appropriate macro: domain_obj_id_change_exemption(acme_nss_t) But there is no need to change the object identity in the first place, system_u will do fine. > > -- > ======================================================================== > Ian Pilcher [email protected] > -------- "I grew up before Mark Zuckerberg invented friendship" -------- > ======================================================================== > _______________________________________________ > Selinux mailing list > [email protected] > To unsubscribe, send email to [email protected]. > To get help, send an email containing "help" to [email protected]. -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift
signature.asc
Description: PGP signature
_______________________________________________ Selinux mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
