Re: Denial showing up even when allow rule appied
We managed to install setools and we see the following as the output of
seinfo
[root@cap-715-pub ~]# seinfo -xtpwrecoveryd_t
Rule loading disabled
pwrecoveryd_t
@ttr0191
@ttr1241
@ttr2387
@ttr2703
Thanks,
Anamitra
On 5/20/13 2:51 PM, "Dominick Grift" <dominick.grift(a)gmail.com> wrote:
On Mon, 2013-05-20 at 20:44 +0000, Anamitra Dutta Majumdar (anmajumd)
wrote:
> Hi Dominick.
>
> 1. We do not have the seinfo utility available in our box so could not
>run
> it
>
Well then its hard for me to speculate as to which attribute you need to
assign to your pwrecoveryd_t type
you might start with: domain_type(pwrecoveryd_t)
e.g. make it a domain type
> 2. The AVC denial is
> type=AVC msg=audit(1369081665.408:8113): avc: denied { create } for
> pid=18379 comm="usermod" name="passwd+"
> scontext=specialuser_u:system_r:pwrecoveryd_t:s0
> tcontext=system_u:object_r:etc_t:s0 tclass=file
>
>
> 3. audit2why shows this
> type=AVC msg=audit(1369081665.408:8113): avc: denied { create } for
> pid=18379 comm="usermod" name="passwd+"
> scontext=specialuser_u:system_r:pwrecoveryd_t:s0
> tcontext=system_u:object_r:etc_t:s0 tclass=file
> Was caused by:
> Constraint violation.
> Check policy/constraints.
> Typically, you just need to add a type attribute to the
> domain to satisfy the constraint.
>
So this tells you that its a policy constraint issue. A type enforcement
rule wont help you here. You need to assign the proper type attributes
to the pwrecoveryd_t type most likely
probably "domain" type attribute
> Thanks,
> Anamitra
>
>
>
> On 5/20/13 12:30 PM, "Dominick Grift" <dominick.grift(a)gmail.com>
wrote:
>
> >On Mon, 2013-05-20 at 19:25 +0000, Anamitra Dutta Majumdar (anmajumd)
> >wrote:
> >> We are seeing this on a RHEL5 based release of our product.
> >>
> >> The particular rule that is causing the issue is this .
> >>
> >> allow pwrecoveryd_t etc_t:file create;
> >
> >Kind of hard to speculate. Can you provide more info like for example:
> >
> >1. output of : seinfo -xtpwrecoveryd_t
> >2. the actual avc denial
> >3. what does audit2why say if you feed it that avc denial?
> >
> >>
> >> pwrecoveryd is a custom type and all the necessary policies have been
> >> loaded.
> >> However when we specifically add the above allow rule and load the
> >> policies on the target box.
> >> We keep on getting this exact same denial. This is the only denial
>that
> >> shows up
> >>
> >> Any pointers to the issue would be greatly appreciated.
> >>
> >> Thanks,
> >> Anamitra
> >>
> >>
> >>
> >> --
> >> selinux mailing list
> >> selinux(a)lists.fedoraproject.org
> >> https://admin.fedoraproject.org/mailman/listinfo/selinux
> >
> >
>