Re: problems using setcon()

[Kodungallur Varma <ramgwu@gmail.com>]

all,

       I came to know that I cant simply cast a string into a security
identifier as shown below. insted I found out that I have to use
security_compute_create(). I found a relevant conversation in the
mailing list:
----------------------------
On Tue, 2005-02-15 at 17:53, Luke Kenneth Casson Leighton wrote:
> on the setcon(), because i happened to be in sshd_privsep_t, and because
> i happened to be setting the context to user_t, and because it was
> sshd_exec_t doing the setting, i expect an "automatic" transition
> to occur to sshd_privsep_user_t.

That makes no sense.  If you want to compute a derived context to pass
to the setcon() call, you can use security_compute_create() to get one
from policy, e.g. see the corresponding logic in rpm_execcon(3) in
libselinux.
---------------------------

I have absolutely no idea how the security_compute_create() works or
ho to use it. all I need ot do is to dynamically change context into a
domain for which the type enforcement policy file has been written.
the man pages for security_compute_create() has very little
information on how and where to use it. is there an example of how we
can use it? also is rpm_execcon(3) relevant in this context.

any help on this would be great. thank you in advance.

Ram

On Wed, 9 Mar 2005 09:46:56 +0100, Thomas Bleher
<bleher@informatik.uni-muenchen.de> wrote:
> * Kodungallur Varma <ramgwu@gmail.com> [2005-03-09 05:33]:
> > Hi all,
> >
> >  I am trying to dynamically change the context of my program by
> > using the setcon() function. I have a simple program that tries to do
> > that but the setcon() function always returns -1 for the input in the
> > program.
> >
> > #include <stdio.h>
> > #include <selinux/selinux.h>
> >
> > int main()
> > {
> >    int i;
> >    char str[100];
> >    strcpy(str,"system_u:object_r:libselinux_test_t");
>                  ^^^^^^^^^^^^^^^^^
> Your Problem is here. object_r cannot be used for any domains. Further,
> you can't change users (from user_u to system_u) unless you are
> specifically authorized.
> If you use "user_u:user_r:libselinux_test_t" you should be able to get
> it to work (you'll need some additional permissions as dyntransition is
> not covered by domain_auto_trans())
> 
> HTH,
> Thomas
> 
> --
> http://www.cip.ifi.lmu.de/~bleher/selinux/ - my SELinux pages
> GPG-Fingerprint: BC4F BB16 30D6 F253 E3EA  D09E C562 2BAE B2F4 ABE7
> 
> 
>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.