From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from jazzhorn.ncsc.mil (mummy.ncsc.mil [144.51.88.129]) by tycho.ncsc.mil (8.12.8/8.12.8) with ESMTP id j293qoDo021654 for ; Tue, 8 Mar 2005 22:52:50 -0500 (EST) Received: from wproxy.gmail.com (jazzhorn.ncsc.mil [144.51.5.9]) by jazzhorn.ncsc.mil (8.12.10/8.12.10) with ESMTP id j293jZDv004086 for ; Wed, 9 Mar 2005 03:45:35 GMT Received: by wproxy.gmail.com with SMTP id 69so84405wra for ; Tue, 08 Mar 2005 19:48:05 -0800 (PST) Message-ID: Date: Tue, 8 Mar 2005 22:48:05 -0500 From: Kodungallur Varma Reply-To: Kodungallur Varma To: selinux@tycho.nsa.gov Subject: Re: Question regarding SELinux and IPsec In-Reply-To: <422DC7CF.1060600@hp.com> Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII References: <422DC7CF.1060600@hp.com> Sender: owner-selinux@tycho.nsa.gov List-Id: selinux@tycho.nsa.gov Hi all, I am trying to dynamically change the context of my program by using the setcon() function. I have a simple program that tries to do that but the setcon() function always returns -1 for the input in the program. #include #include int main() { int i; char str[100]; strcpy(str,"system_u:object_r:libselinux_test_t"); i = setcon((security_context_t) str); if(i == 0) { printf("changed to new context..\n"); } else if(i == -1) { printf("error..setcon() returned -1\n"); } else { printf("unknown result\n"); } return 1; } libselinux_test_t is the domain in which I want this program to run. I have the following policy for that: ----------- daemon_domain(libselinux_test_t) type libselinux_test_t, domain, privlog; role user_r types libselinux_test_t; type libselinux_test_dir_t, file_type, sysadmfile; type libselinux_test_exec_t, file_type, sysadmfile, exec_type; domain_auto_trans(user_t, libselinux_test_exec_t, libselinux_test_t) allow libselinux_test_t sshd_t:fd use; ------------ as I am in user_t domain when I execute the program, the program starts in the user_t domain. but as there is that domain_auto_trans() into the libselinux_test_t domain, setcon() into that domain soulldnt fail for the invalid domain reasons. I dont have any avc: denied messages as the setcon fails. my belief is that I am passing bad arguements to setcon(). could someone please point out where the problem is. also I tried to print out the domain of the current process using getcon(), but I have some problem. could someone let me know how to print that out, rather that viewing it using ps axZ. thanx a lot in advance.. Ram -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.