On Mon, 2013-05-20 at 20:44 +0000, Anamitra Dutta Majumdar (anmajumd)
wrote:
Hi Dominick.
1. We do not have the seinfo utility available in our box so could not run
it
Well then its hard for me to speculate as to which attribute you need to
assign to your pwrecoveryd_t type
you might start with: domain_type(pwrecoveryd_t)
e.g. make it a domain type
2. The AVC denial is
type=AVC msg=audit(1369081665.408:8113): avc: denied { create } for
pid=18379 comm="usermod" name="passwd+"
scontext=specialuser_u:system_r:pwrecoveryd_t:s0
tcontext=system_u:object_r:etc_t:s0 tclass=file
3. audit2why shows this
type=AVC msg=audit(1369081665.408:8113): avc: denied { create } for
pid=18379 comm="usermod" name="passwd+"
scontext=specialuser_u:system_r:pwrecoveryd_t:s0
tcontext=system_u:object_r:etc_t:s0 tclass=file
Was caused by:
Constraint violation.
Check policy/constraints.
Typically, you just need to add a type attribute to the
domain to satisfy the constraint.
So this tells you that its a policy constraint issue. A type enforcement
rule wont help you here. You need to assign the proper type attributes
to the pwrecoveryd_t type most likely
probably "domain" type attribute
Thanks,
Anamitra
On 5/20/13 12:30 PM, "Dominick Grift" <dominick.grift(a)gmail.com> wrote:
>On Mon, 2013-05-20 at 19:25 +0000, Anamitra Dutta Majumdar (anmajumd)
>wrote:
>> We are seeing this on a RHEL5 based release of our product.
>>
>> The particular rule that is causing the issue is this .
>>
>> allow pwrecoveryd_t etc_t:file create;
>
>Kind of hard to speculate. Can you provide more info like for example:
>
>1. output of : seinfo -xtpwrecoveryd_t
>2. the actual avc denial
>3. what does audit2why say if you feed it that avc denial?
>
>>
>> pwrecoveryd is a custom type and all the necessary policies have been
>> loaded.
>> However when we specifically add the above allow rule and load the
>> policies on the target box.
>> We keep on getting this exact same denial. This is the only denial that
>> shows up
>>
>> Any pointers to the issue would be greatly appreciated.
>>
>> Thanks,
>> Anamitra
>>
>>
>>
>> --
>> selinux mailing list
>> selinux(a)lists.fedoraproject.org
>>
https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>