I am attempting to use the fsetfilecon() call within a C program. Several other libselinux calls are working OK, but this call fails in enforcing mode (it works in permissive mode).
The audit.log and audit2allow are suggesting policy code that I already have in the policy.
I suspect that I'm being bitten by a "don't audit" rule somewhere.
Is there a reference policy macro that I can include to get fsetfilecon() to work?
Note: I already included
selinux_get_enforce_mode( t_selinux_api_t );
To get the security_getenforce() function to work.
Thanks,
Brian
On 04/08/2009 09:11 PM, Brian Ginn wrote:
I am attempting to use the fsetfilecon() call within a C program. Several other libselinux calls are working OK, but this call fails in enforcing mode (it works in permissive mode).
The audit.log and audit2allow are suggesting policy code that I already have in the policy.
I suspect that I'm being bitten by a "don't audit" rule somewhere.
Is there a reference policy macro that I can include to get fsetfilecon() to work?
Note: I already included
selinux_get_enforce_mode( t_selinux_api_t );
To get the security_getenforce() function to work.
Thanks,
Brian
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
You are most likely hitting a constraint.
If you run your avc messages through audit2why, you will probably see it is a constraint.
If you are changing the user componant of a file you need to domain_obj_id_change_exemption()
######################################## ## <summary> ## Makes caller an exception to the constraint preventing ## changing the user identity in object contexts. ## </summary> ## <param name="domain"> ## <summary> ## The process type to make an exception to the constraint. ## </summary> ## </param> ## <rolecap/> # interface(`domain_obj_id_change_exemption',` gen_require(` attribute can_change_object_identity; ')
typeattribute $1 can_change_object_identity; ')
selinux@lists.fedoraproject.org