making a file context change work for initrc_t and unconfined_t

Maria Iano maria at iano.org
Sat Feb 4 02:41:52 UTC 2012 

On Feb 3, 2012, at 4:08 PM, Dominick Grift wrote:

> On Fri, 2012-02-03 at 21:59 +0100, Dominick Grift wrote:
>> On Fri, 2012-02-03 at 15:41 -0500, Maria Iano wrote:
>>
>>> I installed the mylikewise policy. those two files do have the right
>>> type now. After I remove them they do get created with the right  
>>> type.
>>>
>>> After installing the new policy there were some additional AVCs.  
>>> Here
>>> they are:
>>>
>>> type=AVC msg=audit(1328288896.867:124): avc:  denied   
>>> { name_connect }
>>> for  pid=1803 comm="eventlogd" dest=135
>>> scontext=system_u:system_r:eventlogd_t:s0
>>> tcontext=system_u:object_r:epmap_port_t:s0 tclass=tcp_socket
>>
>> add this to the mylikewise.te file:
>>
>> corenet_tcp_connect_epmap_port(eventlogd_t)
>>
>>
>> then just: make -f /usr/share/selinux/devel/Makefile mylikewise.pp;  
>> sudo
>> semodule -i mylikewise.pp
>>
>>> type=AVC msg=audit(1328288705.888:70): avc:  denied  { unlink } for
>>> pid=1803 comm="eventlogd" name=".eventlog" dev=dm-0 ino=392489
>>> scontext=system_u:system_r:eventlogd_t:s0
>>> tcontext=system_u:object_r:likewise_var_lib_t:s0 tclass=sock_file
>>>
>>> type=AVC msg=audit(1328288542.603:69): avc:  denied  { write } for
>>> pid=1162 comm="lsassd" name=".eventlog" dev=dm-0 ino=392489
>>> scontext=system_u:system_r:lsassd_t:s0
>>> tcontext=system_u:object_r:likewise_var_lib_t:s0 tclass=sock_file
>>>
>>
>>> type=AVC msg=audit(1328288542.586:68): avc:  denied  { getattr } for
>>> pid=1161 comm="lsassd"
>>> path
>>> =
>>> 2F7661722F6C69622F6C696B65776973652F6B72623563635F6C736173732E55532E41442E47414E4E4554542E434F4D202864656C6574656429
>>>  dev=dm-0 ino=394337 scontext=system_u:system_r:lsassd_t:s0
>>> tcontext=system_u:object_r:likewise_var_lib_t:s0 tclass=file
>>>
>>> type=AVC msg=audit(1328288542.585:66): avc:  denied  { read write
>>> open } for  pid=1161 comm="lsassd" name="krb5cc_lsass.AD.DOMAIN"
>>> dev=dm-0 ino=394337 scontext=system_u:system_r:lsassd_t:s0
>>> tcontext=system_u:object_r:likewise_var_lib_t:s0 tclass=file
>>>
>>> type=AVC msg=audit(1328288542.586:67): avc:  denied  { unlink } for
>>> pid=1161 comm="lsassd" name="krb5cc_lsass.AD.DOMAIN" dev=dm-0
>>> ino=394337 scontext=system_u:system_r:lsassd_t:s0
>>> tcontext=system_u:object_r:likewise_var_lib_t:s0 tclass=file
>>>
>>> type=AVC msg=audit(1328287031.471:5): avc:  denied  { read } for
>>> pid=1165 comm="lsassd" name="lsass-adcache.filedb.AD.DOMAIN"  
>>> dev=dm-0
>>> ino=395406 scontext=system_u:system_r:lsassd_t:s0
>>> tcontext=system_u:object_r:likewise_var_lib_t:s0 tclass=file
>>>
>>> type=AVC msg=audit(1328287031.471:5): avc:  denied  { open } for
>>> pid=1165 comm="lsassd" name="lsass-adcache.filedbAD.DOMAIN" dev=dm-0
>>> ino=395406 scontext=system_u:system_r:lsassd_t:s0
>>> tcontext=system_u:object_r:likewise_var_lib_t:s0 tclass=file
>>>
>>> type=AVC msg=audit(1328288893.067:123): avc:  denied  { unlink } for
>>> pid=1849 comm="lsassd" name="lsass-adcache.filedb.AD.DOMAIN"  
>>> dev=dm-0
>>> ino=395406 scontext=system_u:system_r:lsassd_t:s0
>>> tcontext=system_u:object_r:likewise_var_lib_t:s0 tclass=file
>>
>>
>> All of these are somehow wrong. There should be no files or sock  
>> files
>> with the generic likewise_var_lib_t. Only some directories.
>>
>> I wonder how these got created and or labeled this way.
>>
>> None of the confined likewise processes should be allowed to create
>> these with this type.
>>
>> The strange thing is that i also do not see any AVC denials of their
>> actual creation.
>>
>> This leads me to suspect that these are mislabeled left overs.  
>> Could i
>> be right?
>>
>
> It is still a bug though because there are no file contexts specified
> for these files and so we should specify them.
>
> It means we need the actual full paths of the files.
>
> example;
>
> .eventlog
> find /var/lib -inum 392489
> find /var/lib -inum 394337
> find /var/lib -inum 395406
>
> it is important that all files have the proper file context

Those files are
/var/lib/likewise/.eventlog
/var/lib/likewise/krb5cc_lsass.AD.DOMAIN
/var/lib/likewise/db/lsass-adcache.filedb.AD.DOMAIN

What happened was that I ran restorecon on them after they had been  
created but before those AVCs. I added these rules to the fc file:

/var/lib/likewise/\.eventlog       -s       
gen_context(system_u:object_r:eventlogd_var_socket_t,s0)
/var/lib/likewise/krb5cc\_lsass\..*  --     
gen_context(system_u:object_r:lsassd_var_lib_t, s0)
/var/lib/likewise/db/lsass-adcache\.filedb\..*  --   
gen_context(system_u:object_r:lsassd_var_lib_t,s0)

and matchpathcon gives the correct type for them now.

I haven't had any new AVC messages since those last changes.

More information about the selinux mailing list