[refpolicy] runcon cant really run(constraint issue?)

Daniel J Walsh dwalsh at redhat.com
Thu Apr 23 07:39:40 CDT 2009

On 04/22/2009 12:38 PM, Justin Mattock wrote:
> looking into using runcon
> it seems I'm confronted with an
> avc, that just keeps showing up:
> allow staff_t user_t:process { siginh rlimitinh transition noatsecure };
> (even after adding this to the policy).
> What I'm doing is this:
> runcon name:user_r:user_t:s0-s0:c0.c255 firefox
> the initial role I'm in is staff_r(transitioning to user_r for
> firefox to run in)
> Does this seem like the right thing to do,
> or do I need to use newrole -r *
> for something like firefox?
I guess the correct question is what is your security goal.

You are not currently allowed to transition from a staff_u user to a 
user_r role.  In order to make this happen you would need to use semange 
to make sure your SELinux user "name" had both staff_r and user_r, and 
then you would need to add a rule to policy that says staff_r can become 
user_r.  But transitioning to the new role is probably not what you want.

If your goal is to confine firefox. you would be better off using the 
mozilla policy to say when a staff_t type executes mozilla_exec_t it 
runs as staff_mozilla_t.

name:staff_r:staff_t -> system_u:object_r:mozilla_exec_t -> 

Confining mozilla/firefox has  a whole bunch of other problems...

More information about the refpolicy mailing list