making a file context change work for initrc_t and unconfined_t

Tue Feb 7 22:39:26 UTC 2012

> mylikewise.fc:
> 
> /var/lib/likewise/db/lwi\_events\.db --
> gen_context(system_u:object_r:eventlogd_var_lib_t,s0)
> 
> /var/lib/likewise/\.lwsmd-lock --
> gen_context(system_u:object_r:lwsmd_var_lib_t,s0)

Hi there,

[I tried to post this via gmane about 30 minutes ago but it never showed up - I 
did take some time composing the first time, so I am trying again.]

I am new on this list (and pretty new to SELinux), but was just trying to get 
Likewise Open 6.1 and SELinux to play well together on RHEL 6.1 and found this 
excellent thread.  Most of the denials I had noticed were on 
the /var/lib/likewise/.lsassd socket.

To start with, I've run "sudo semanage -i likewise-cmds", where likewise-cmds 
contains the following (based on what I found in the likewise.fc from git as 
well as Dominick's notes above -- replacing /usr/sbin 
with /opt/likewise/sbin, and all instances of "likewise-open" with "likewise"):

fcontext -a -t likewise_var_lib_t "/var/lib/likewise(/.*)?"
fcontext -a -t lsassd_var_socket_t /var/lib/likewise/.lsassd
fcontext -a -t lwiod_var_socket_t /var/lib/likewise/.lwiod
fcontext -a -t lwsmd_var_socket_t /var/lib/likewise/.lwsm
fcontext -a -t lwsmd_var_lib_t /var/lib/likewise/.lwsmd-lock
fcontext -a -t lwregd_var_socket_t /var/lib/likewise/.regsd
fcontext -a -t netlogond_var_socket_t /var/lib/likewise/.netlogond
fcontext -a -t lsassd_var_socket_t /var/lib/likewise/.ntlmd
fcontext -a -t netlogond_var_lib_t /var/lib/likewise/krb5-affinity.conf
fcontext -a -t lsassd_var_lib_t "/var/lib/likewise/krb5cc_lsass(.*)?"
fcontext -a -t eventlogd_var_lib_t /var/lib/likewise/db/lwi_events.db
fcontext -a -t lsassd_var_lib_t /var/lib/likewise/db/sam.db
fcontext -a -t lsassd_var_lib_t "/var/lib/likewise/db/lsass-adcache.filedb.
(.*)?"
fcontext -a -t lwregd_var_lib_t /var/lib/likewise/db/registry.db
fcontext -a -t lsassd_var_socket_t /var/lib/likewise/rpc/lsass
fcontext -a -t likewise_krb5_ad_t /etc/likewise/likewise-krb5-ad.conf
fcontext -a -t likewise_etc_t "/etc/likewise(/.*)?"
fcontext -a -t dcerpcd_exec_t /opt/likewise/sbin/dcerpcd
fcontext -a -t eventlogd_exec_t /opt/likewise/sbin/eventlogd
fcontext -a -t lsassd_exec_t /opt/likewise/sbin/lsassd
fcontext -a -t lwiod_exec_t /opt/likewise/sbin/lwiod
fcontext -a -t lwregd_exec_t /opt/likewise/sbin/lwregd
fcontext -a -t lwsmd_exec_t /opt/likewise/sbin/lwsmd
fcontext -a -t netlogond_exec_t /opt/likewise/sbin/netlogond

I added some wildcards in there because some of the files get created with the 
Active Directory domain name appended to them, namely:

/var/lib/likewise/krb5cc_lsass.MYDOMAIN.NET
/var/lib/likewise/db/lsass-adcache.filedb.MYDOMAIN.NET

After running "restorecon -R -F -v" on all those directories and rebooting, I 
just got these denials:

type=AVC msg=audit(02/07/2012 21:55:59.592:23979) : avc:  denied  { open } for  
pid=1671 comm=lsassd name=krb5cc_1040237070 dev=dm-4 ino=17 
scontext=system_u:system_r:lsassd_t:s0 
tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=file
type=AVC msg=audit(02/07/2012 21:55:59.592:23979) : avc:  denied  { read } for  
pid=1671 comm=lsassd name=krb5cc_1040237070 dev=dm-4 ino=17 
scontext=system_u:system_r:lsassd_t:s0 
tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=file
type=AVC msg=audit(02/07/2012 21:55:59.600:23980) : avc:  denied  { lock } for  
pid=1671 comm=lsassd path=/tmp/krb5cc_1040237070 dev=dm-4 ino=17 
scontext=system_u:system_r:lsassd_t:s0 
tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=file
type=AVC msg=audit(02/07/2012 21:55:59.609:23981) : avc:  denied  { unlink } 
for  pid=1671 comm=lsassd name=krb5cc_1040237070 dev=dm-4 ino=17 
scontext=system_u:system_r:lsassd_t:s0 
tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=file

There were also a bunch of getattr denials on stuff in /proc.
Those files in /tmp are owned by me, apparently created when I logged in.  They 
might have been left over from before.  
Otherwise, everything looks good so far.

I haven't tried building the additional "mylikewise" policy yet, but I can do 
that next.  I can also start over on a fresh box if that would be helpful.

Thanks,
Christina