From mboxrd@z Thu Jan  1 00:00:00 1970
From: dwalsh@redhat.com (Daniel J Walsh)
Date: Thu, 19 Dec 2013 11:10:21 -0500
Subject: [refpolicy] unexpected AVC. how to dig deeper?
In-Reply-To: <20131219160216.714215db@ossman.lkpg.cendio.se>
References: <20131219160216.714215db@ossman.lkpg.cendio.se>
Message-ID: <52B31A6D.1020506@redhat.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 12/19/2013 10:02 AM, Pierre Ossman wrote:
> Hi,
> 
> I'm having problems with this AVC on RHEL6:
> 
> type=AVC msg=audit(1387461339.290:123): avc:  denied  { transition } for
> pid=2548 comm="tl-session" path="/opt/thinlinc/libexec/tl-xinit" dev=dm-0
> ino=789253 scontext=unconfined_u:system_r:thinlinc_session_t:s0
> tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> tclass=process
> 
> I'm at a loss to why though as I have this in my policy:
> 
> userdom_spec_domtrans_all_users(thinlinc_session_t)
> 
> I even checked that the temporary file got an appropriate allow rule:
> 
> allow thinlinc_session_t userdomain:process transition;
> 
> I need some help in debugging this further. What could prevent this allow
> line from being respected?
> 
> Rgds
> 
> 
> 
> _______________________________________________ refpolicy mailing list 
> refpolicy at oss.tresys.com http://oss.tresys.com/mailman/listinfo/refpolicy
> 

Looks like constraint violations.

You have a unconfined_u:system_r:thinklinc_session_t:s0 transitioning to a
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

Which looks like you need to allow the domains to change role from system_r tp
unconfined_r and to change range from s0 to s0-s0:c0.c1023

If you ran your avc through audit2why it should tell you that you have a
constraint problem.

Perhaps adding these will solve your problem.
domain_role_change_exemption(thinlinc_session_t)
        mls_process_set_level(thinklinc_session_t)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlKzGm0ACgkQrlYvE4MpobNdNwCcDlM6gult53uwr4RxRuJIyKGz
/hIAoK6v+6/H6Nj8tP43S6rRCtHqo4wd
=JKia
-----END PGP SIGNATURE-----