Denial showing up even when allow rule appied

Daniel J Walsh dwalsh at redhat.com
Thu May 23 12:41:00 UTC 2013 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/22/2013 03:35 PM, Anamitra Dutta Majumdar (anmajumd) wrote:
> Hi Dan ,
> 
> Here is the related AVC denial
> 
> type=AVC msg=audit(1369177581.853:57912): avc:  denied  { create } for 
> pid=18778 comm="usermod" name="passwd+" 
> scontext=specialuser_u:system_r:pwrecoveryd_t:s0 
> tcontext=system_u:object_r:etc_t:s0 tclass=file type=SYSCALL
> msg=audit(1369177581.853:57912): arch=40000003 syscall=5 success=yes exit=5
> a0=bff19038 a1=8241 a2=1b6 a3=9df3670 items=2 ppid=18765 pid=18778 auid=503
> uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=1624
> comm="usermod" exe="/usr/sbin/usermod" 
> subj=specialuser_u:system_r:pwrecoveryd_t:s0 key=(null) type=CWD
> msg=audit(1369177581.853:57912):  cwd="/home/pwrecovery" type=PATH
> msg=audit(1369177581.853:57912): item=0 name="/etc/" inode=3103841
> dev=08:01 mode=040755 ouid=0 ogid=0 rdev=00:00 
> obj=system_u:object_r:etc_t:s0type=PATH msg=audit(1369177581.853:57912): 
> item=1 name="/etc/passwd+" inode=3105686 dev=08:01 mode=0100000 ouid=0 
> ogid=0 rdev=00:00 obj=system_u:object_r:etc_t:s0
> 
> 
> And we are not using kerberos for any authentication on our system.
> 
Ok usermod and useradd do the setfilecon calls.  One thing you might want to
do is transition to useradd_t.

usermanage_domtrans_useradd(pwrecoverd_t)

User add currently has these two exceptions.

domain_obj_id_change_exemption(useradd_t)
domain_system_change_exemption(useradd_t)

It looks like you might need both if you want pwrecoveryd_t to do this.

> Thanks, Anamitra
> 
> On 5/22/13 10:04 AM, "Daniel J Walsh" <dwalsh at redhat.com> wrote:
> 
> On 05/21/2013 02:04 PM, Anamitra Dutta Majumdar (anmajumd) wrote:
>>>> Hi Dan,
>>>> 
>>>> We added the domain_obj_id_change_exemption(pwrecoveryd_t) to our
>>>> src module but no luck.
>>>> 
>>>> And also  our app does not do  a setfscreatecon() call however from
>>>> the syslogs we found Calls to setfscreate() by our app.
>>>> 
>>>> Is there a way to look at the constraints on a RHEL5 box using
>>>> seinfo.
>>>> 
>>>> As indicated earlier in the email thread , the seinfo command on
>>>> RHEL5 does not have the "--constrain" option.
>>>> 
>>>> 
>>>> Thanks, Anamitra
>>>> 
> 
> Could you attach your current AVC messages? Are you using kerberos 
> libraries?
> 
> -- selinux mailing list selinux at lists.fedoraproject.org 
> https://admin.fedoraproject.org/mailman/listinfo/selinux
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlGeDlwACgkQrlYvE4MpobPXhACg2bzeslGGHgkaFDG1YyMaLI8q
u24An0uUlshoGjna+TmnR6m6iUSEb/Wg
=ak6P
-----END PGP SIGNATURE-----

More information about the selinux mailing list