Invalid context in targeted SELinux policy

Invalid context in targeted SELinux policy

[Daniel Musgrave]

I am in the process of writing an application and associated policy in Centos 4.3, running a targeted SELinux environment at version 1.17.30-2.126.  After succesfully creating the necessary rules in my .te file, and the associated file contexts in the .fc file, I am attempting to resolve one last problem.  After compiling my policy and running the application, I get the following error:

audit(...): security_compute_sid: invalid context root:system_r:upgrade_t for scontext=root:system_r:unconfined_t tcontext=system_u:object_r:upgrade_exec_t tclass=process

The domain for this executable is 'upgrade' and the file context of the binary is 'upgrade_exec_t' (there are some associated *_log_t and *_tmp_t files as well).  The .te file defines upgrade using the application_domain macro.

I have thus far been unable to find any sort of documentation or discussion that relates to this specific problem (most file_context issues seem to come from improperly-formatted .fc files during labeling, rather than at runtime).  Am I forgetting to include some line in my .te file?  Do I need to include the new domain/type I've created in some other location?  Any insight you can provide would be greatly appreciated.

Thanks,

Daniel

PS - here is my .fc file, in case my problem somehow *does* involve it.

upgrade.fc
# upgrade
/usr/bin/upgrade      --  system_u:object_r:upgrade_exec_t
/var/log/upgrade.log  --  system_u:object_r:upgrade_log_t
/tmp/upgrade(/.*)?    --  system_u:object_r:upgrade_tmp_t




--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Invalid context in targeted SELinux policy

[Karl MacMillan]

On Tue, 2006-08-15 at 21:50 +0000, Daniel Musgrave wrote:
> I am in the process of writing an application and associated policy in Centos 4.3, running a targeted SELinux environment at version 1.17.30-2.126.  After succesfully creating the necessary rules in my .te file, and the associated file contexts in the .fc file, I am attempting to resolve one last problem.  After compiling my policy and running the application, I get the following error:
> 
> audit(...): security_compute_sid: invalid context root:system_r:upgrade_t for scontext=root:system_r:unconfined_t tcontext=system_u:object_r:upgrade_exec_t tclass=process
> 
> The domain for this executable is 'upgrade' and the file context of the binary is 'upgrade_exec_t' (there are some associated *_log_t and *_tmp_t files as well).  The .te file defines upgrade using the application_domain macro.
> 
Did you authorize your type for the system_r role?

role system_r upgrade_t;

Karl

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Invalid context in targeted SELinux policy

[Karl MacMillan]

On Wed, 2006-08-16 at 09:02 -0400, Karl MacMillan wrote:
> On Tue, 2006-08-15 at 21:50 +0000, Daniel Musgrave wrote:
> > I am in the process of writing an application and associated policy in Centos 4.3, running a targeted SELinux environment at version 1.17.30-2.126.  After succesfully creating the necessary rules in my .te file, and the associated file contexts in the .fc file, I am attempting to resolve one last problem.  After compiling my policy and running the application, I get the following error:
> > 
> > audit(...): security_compute_sid: invalid context root:system_r:upgrade_t for scontext=root:system_r:unconfined_t tcontext=system_u:object_r:upgrade_exec_t tclass=process
> > 
> > The domain for this executable is 'upgrade' and the file context of the binary is 'upgrade_exec_t' (there are some associated *_log_t and *_tmp_t files as well).  The .te file defines upgrade using the application_domain macro.
> > 
> Did you authorize your type for the system_r role?
> 
> role system_r upgrade_t;
> 

I shouldn't answer emails in the morning:

role system_r types upgrade_t;

Karl

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Invalid context in targeted SELinux policy

[Stephen Smalley]

On Tue, 2006-08-15 at 21:50 +0000, Daniel Musgrave wrote:
> I am in the process of writing an application and associated policy in
> Centos 4.3, running a targeted SELinux environment at version
> 1.17.30-2.126.  After succesfully creating the necessary rules in
> my .te file, and the associated file contexts in the .fc file, I am
> attempting to resolve one last problem.  After compiling my policy and
> running the application, I get the following error:
> 
> audit(...): security_compute_sid: invalid context
> root:system_r:upgrade_t for scontext=root:system_r:unconfined_t
> tcontext=system_u:object_r:upgrade_exec_t tclass=process

This typically means that the new domain 'upgrade_t' hasn't been
authorized for the role 'system_r', e.g. role system_r types upgrade_t;

> The domain for this executable is 'upgrade' and the file context of
> the binary is 'upgrade_exec_t' (there are some associated *_log_t and
> *_tmp_t files as well).  The .te file defines upgrade using the
> application_domain macro.

Hmm...application_domain() includes a role statement for sysadm_r by
default, and also includes a role statement for system_r if
targeted_policy is defined, i.e. building targeted policy.  At least in
the last release of the example policy.  But possibly that wasn't in the
CentOS/RHEL policies as shipped.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Invalid context in targeted SELinux policy

[Erich Schubert]

Hi,
> role system_r upgrade_t;

You're missing the "types" keyword.

The sxid.te file is missing a

role system_r types sxid_t;

btw. Not committed to the Debian policy yet, maybe tonight.

best regards,
Erich Schubert
-- 
   erich@(vitavonni.de|debian.org)    --    GPG Key ID: 4B3A135C    (o_
     Which is worse: ignorance or apathy? Who knows? Who cares?     //\
    Eine Stadt ist einem erst wirklich vertraut wenn man Freunde    V_/_
              in ihr hat. --- Antoine de Saint-Exupéry



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Invalid context in targeted SELinux policy

[Daniel Musgrave]

> role system_r types upgrade_t;

This did it; this isn't the first (and probably won't be the last) time that I've quickly read 'sysadm' and seen 'system'.

>Hmm...application_domain() includes a role statement for sysadm_r by
>default, and also includes a role statement for system_r if
>targeted_policy is defined, i.e. building targeted policy.  At least in
>the last release of the example policy.  But possibly that wasn't in the
>CentOS/RHEL policies as shipped.

It seems that in the global_macros.te supplied on this machine, the application_domain() only defines the sysadm_r role statement, while a later macro system_domain() defines system_r instead.  (And glancing at this second macro, it seems that it may be more appropriate for what I need anyway.)

Thanks very much for your help,

Daniel Musgrave
Abodio Software




--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.