Description of problem: Trying to use runcon to debug another SELinux-related issue (https://bugzilla.redhat.com/show_bug.cgi?id=818754#c44). # runcon system_u:system_r:openvswitch_t:s0 modprobe openvswitch SELinux is preventing /usr/bin/bash from using the 'transition' accesses on a process. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that bash should be allowed transition access on processes labeled openvswitch_t by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep sh /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Target Context system_u:system_r:openvswitch_t:s0 Target Objects /usr/bin/kmod [ process ] Source sh Source Path /usr/bin/bash Port <Unknown> Host (removed) Source RPM Packages coreutils-8.21-11.fc19.x86_64 Target RPM Packages kmod-13-2.fc19.x86_64 Policy RPM selinux-policy-3.12.1-54.fc19.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 3.9.8-300.fc19.x86_64 #1 SMP Thu Jun 27 19:24:23 UTC 2013 x86_64 x86_64 Alert Count 5 First Seen 2013-07-03 12:35:35 CDT Last Seen 2013-07-03 13:14:46 CDT Local ID 2ac40fb6-626e-46b9-8f93-0d41ce8b4fba Raw Audit Messages type=AVC msg=audit(1372875286.860:218): avc: denied { transition } for pid=5267 comm="runcon" path="/usr/bin/kmod" dev="dm-1" ino=1850541 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:system_r:openvswitch_t:s0 tclass=process type=SYSCALL msg=audit(1372875286.860:218): arch=x86_64 syscall=execve success=no exit=EACCES a0=7fff4ddfb54e a1=7fff4ddfb768 a2=7fff4ddfb780 a3=3a745f6863746977 items=0 ppid=3141 pid=5267 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=1 tty=pts1 comm=runcon exe=/usr/bin/runcon subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) Hash: sh,unconfined_t,openvswitch_t,process,transition Additional info: reporter: libreport-2.1.5 hashmarkername: setroubleshoot kernel: 3.9.8-300.fc19.x86_64 type: libreport
Not that simple, You can either add a Transitioning from one domain to another involves multiple access rules. allow unconfined_t openvswitch_t:process transition; But if you were executing runcon -r system_r -t openvswitch_t /bin/kmod You would also need. allow openvswitch_t insmod_exec_t:file entrypoint; But that is not necessarily what you want since you might want to see if openvswitch_t can transition to insmod_t when executing kmod. Something like: runcon -r system_r -t openvswitch_t /bin/sh -c /bin/kmod Which would require allow openvswitch_t bin_t:file entrypoint;
Basically you can do it using these steps: Check if there is no transition # sesearch -A -s openvswitch_t -t insmod_t -c processes => no output => you can run # runcon -u system_u -r system_r -t initrc_t -- runcon -t openvswitch_t -- kmod for example. But it ends up with allow openvswitch_t insmod_exec_t:file entrypoint; So you need to change labeling for kmod and then you can run "runcon" # chcon -t openvswitch_exec_t /bin/kmod # runcon -u system_u -r system_r -t initrc_t -- runcon -t openvswitch_t -- kmod which will run kmod in the openvswitch_t domain. After testing MAKE SURE you run # restorecon -v /bin/kmod