Denial showing up even when allow rule appied
Anamitra Dutta Majumdar (anmajumd)
anmajumd at cisco.com
Mon May 20 20:44:55 UTC 2013
Hi Dominick.
1. We do not have the seinfo utility available in our box so could not run
it
2. The AVC denial is
type=AVC msg=audit(1369081665.408:8113): avc: denied { create } for
pid=18379 comm="usermod" name="passwd+"
scontext=specialuser_u:system_r:pwrecoveryd_t:s0
tcontext=system_u:object_r:etc_t:s0 tclass=file
3. audit2why shows this
type=AVC msg=audit(1369081665.408:8113): avc: denied { create } for
pid=18379 comm="usermod" name="passwd+"
scontext=specialuser_u:system_r:pwrecoveryd_t:s0
tcontext=system_u:object_r:etc_t:s0 tclass=file
Was caused by:
Constraint violation.
Check policy/constraints.
Typically, you just need to add a type attribute to the
domain to satisfy the constraint.
Thanks,
Anamitra
On 5/20/13 12:30 PM, "Dominick Grift" <dominick.grift at gmail.com> wrote:
>On Mon, 2013-05-20 at 19:25 +0000, Anamitra Dutta Majumdar (anmajumd)
>wrote:
>> We are seeing this on a RHEL5 based release of our product.
>>
>> The particular rule that is causing the issue is this .
>>
>> allow pwrecoveryd_t etc_t:file create;
>
>Kind of hard to speculate. Can you provide more info like for example:
>
>1. output of : seinfo -xtpwrecoveryd_t
>2. the actual avc denial
>3. what does audit2why say if you feed it that avc denial?
>
>>
>> pwrecoveryd is a custom type and all the necessary policies have been
>> loaded.
>> However when we specifically add the above allow rule and load the
>> policies on the target box.
>> We keep on getting this exact same denial. This is the only denial that
>> shows up
>>
>> Any pointers to the issue would be greatly appreciated.
>>
>> Thanks,
>> Anamitra
>>
>>
>>
>> --
>> selinux mailing list
>> selinux at lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
More information about the selinux
mailing list