Denial showing up even when allow rule appied
Daniel J Walsh
dwalsh at redhat.com
Thu May 23 12:41:00 UTC 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 05/22/2013 03:35 PM, Anamitra Dutta Majumdar (anmajumd) wrote:
> Hi Dan ,
>
> Here is the related AVC denial
>
> type=AVC msg=audit(1369177581.853:57912): avc: denied { create } for
> pid=18778 comm="usermod" name="passwd+"
> scontext=specialuser_u:system_r:pwrecoveryd_t:s0
> tcontext=system_u:object_r:etc_t:s0 tclass=file type=SYSCALL
> msg=audit(1369177581.853:57912): arch=40000003 syscall=5 success=yes exit=5
> a0=bff19038 a1=8241 a2=1b6 a3=9df3670 items=2 ppid=18765 pid=18778 auid=503
> uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=1624
> comm="usermod" exe="/usr/sbin/usermod"
> subj=specialuser_u:system_r:pwrecoveryd_t:s0 key=(null) type=CWD
> msg=audit(1369177581.853:57912): cwd="/home/pwrecovery" type=PATH
> msg=audit(1369177581.853:57912): item=0 name="/etc/" inode=3103841
> dev=08:01 mode=040755 ouid=0 ogid=0 rdev=00:00
> obj=system_u:object_r:etc_t:s0type=PATH msg=audit(1369177581.853:57912):
> item=1 name="/etc/passwd+" inode=3105686 dev=08:01 mode=0100000 ouid=0
> ogid=0 rdev=00:00 obj=system_u:object_r:etc_t:s0
>
>
> And we are not using kerberos for any authentication on our system.
>
Ok usermod and useradd do the setfilecon calls. One thing you might want to
do is transition to useradd_t.
usermanage_domtrans_useradd(pwrecoverd_t)
User add currently has these two exceptions.
domain_obj_id_change_exemption(useradd_t)
domain_system_change_exemption(useradd_t)
It looks like you might need both if you want pwrecoveryd_t to do this.
> Thanks, Anamitra
>
> On 5/22/13 10:04 AM, "Daniel J Walsh" <dwalsh at redhat.com> wrote:
>
> On 05/21/2013 02:04 PM, Anamitra Dutta Majumdar (anmajumd) wrote:
>>>> Hi Dan,
>>>>
>>>> We added the domain_obj_id_change_exemption(pwrecoveryd_t) to our
>>>> src module but no luck.
>>>>
>>>> And also our app does not do a setfscreatecon() call however from
>>>> the syslogs we found Calls to setfscreate() by our app.
>>>>
>>>> Is there a way to look at the constraints on a RHEL5 box using
>>>> seinfo.
>>>>
>>>> As indicated earlier in the email thread , the seinfo command on
>>>> RHEL5 does not have the "--constrain" option.
>>>>
>>>>
>>>> Thanks, Anamitra
>>>>
>
> Could you attach your current AVC messages? Are you using kerberos
> libraries?
>
> -- selinux mailing list selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlGeDlwACgkQrlYvE4MpobPXhACg2bzeslGGHgkaFDG1YyMaLI8q
u24An0uUlshoGjna+TmnR6m6iUSEb/Wg
=ak6P
-----END PGP SIGNATURE-----
More information about the selinux
mailing list