Denial showing up even when allow rule appied

Anamitra Dutta Majumdar (anmajumd) anmajumd at cisco.com
Mon May 20 23:41:37 UTC 2013 

We managed to install setools and we see the following as the output of
seinfo

[root at cap-715-pub ~]# seinfo -xtpwrecoveryd_t
Rule loading disabled
   pwrecoveryd_t
      @ttr0191
      @ttr1241
      @ttr2387
      @ttr2703


Thanks,
Anamitra

On 5/20/13 2:51 PM, "Dominick Grift" <dominick.grift at gmail.com> wrote:

>On Mon, 2013-05-20 at 20:44 +0000, Anamitra Dutta Majumdar (anmajumd)
>wrote:
>> Hi Dominick.
>> 
>> 1. We do not have the seinfo utility available in our box so could not
>>run
>> it
>> 
>
>Well then its hard for me to speculate as to which attribute you need to
>assign to your pwrecoveryd_t type
>
>you might start with: domain_type(pwrecoveryd_t)
>
>e.g. make it a domain type
>
>> 2. The AVC denial is
>> type=AVC msg=audit(1369081665.408:8113): avc:  denied  { create } for
>> pid=18379 comm="usermod" name="passwd+"
>> scontext=specialuser_u:system_r:pwrecoveryd_t:s0
>> tcontext=system_u:object_r:etc_t:s0 tclass=file
>> 
>> 
>> 3. audit2why shows this
>> type=AVC msg=audit(1369081665.408:8113): avc:  denied  { create } for
>> pid=18379 comm="usermod" name="passwd+"
>> scontext=specialuser_u:system_r:pwrecoveryd_t:s0
>> tcontext=system_u:object_r:etc_t:s0 tclass=file
>>         Was caused by:
>>                 Constraint violation.
>>                 Check policy/constraints.
>>                 Typically, you just need to add a type attribute to the
>> domain to satisfy the constraint.
>> 
>
>So this tells you that its a policy constraint issue. A type enforcement
>rule wont help you here. You need to assign the proper type attributes
>to the pwrecoveryd_t type most likely
>
>probably "domain" type attribute
>
>
>> Thanks,
>> Anamitra
>> 
>> 
>> 
>> On 5/20/13 12:30 PM, "Dominick Grift" <dominick.grift at gmail.com> wrote:
>> 
>> >On Mon, 2013-05-20 at 19:25 +0000, Anamitra Dutta Majumdar (anmajumd)
>> >wrote:
>> >> We are seeing this on a RHEL5 based release of our product.
>> >> 
>> >> The particular rule that is causing the issue is this .
>> >> 
>> >> allow pwrecoveryd_t etc_t:file create;
>> >
>> >Kind of hard to speculate. Can you provide more info like for example:
>> >
>> >1. output of : seinfo -xtpwrecoveryd_t
>> >2. the actual avc denial
>> >3. what does audit2why say if you feed it that avc denial?
>> >
>> >> 
>> >> pwrecoveryd is a custom type and all the necessary policies have been
>> >> loaded.
>> >> However when we specifically add the above allow rule and load the
>> >> policies on the target box.
>> >> We keep on getting this exact same denial. This is the only denial
>>that
>> >> shows up
>> >> 
>> >> Any pointers to the issue would be greatly appreciated.
>> >> 
>> >> Thanks,
>> >> Anamitra
>> >> 
>> >> 
>> >> 
>> >> --
>> >> selinux mailing list
>> >> selinux at lists.fedoraproject.org
>> >> https://admin.fedoraproject.org/mailman/listinfo/selinux
>> >
>> >
>> 
>
>

More information about the selinux mailing list