-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 05/22/2013 03:35 PM, Anamitra Dutta Majumdar (anmajumd) wrote:
Hi Dan ,
Here is the related AVC denial
type=AVC msg=audit(1369177581.853:57912): avc: denied { create } for
pid=18778 comm="usermod" name="passwd+"
scontext=specialuser_u:system_r:pwrecoveryd_t:s0
tcontext=system_u:object_r:etc_t:s0 tclass=file type=SYSCALL
msg=audit(1369177581.853:57912): arch=40000003 syscall=5 success=yes exit=5
a0=bff19038 a1=8241 a2=1b6 a3=9df3670 items=2 ppid=18765 pid=18778 auid=503
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=1624
comm="usermod" exe="/usr/sbin/usermod"
subj=specialuser_u:system_r:pwrecoveryd_t:s0 key=(null) type=CWD
msg=audit(1369177581.853:57912): cwd="/home/pwrecovery" type=PATH
msg=audit(1369177581.853:57912): item=0 name="/etc/" inode=3103841
dev=08:01 mode=040755 ouid=0 ogid=0 rdev=00:00
obj=system_u:object_r:etc_t:s0type=PATH msg=audit(1369177581.853:57912):
item=1 name="/etc/passwd+" inode=3105686 dev=08:01 mode=0100000 ouid=0
ogid=0 rdev=00:00 obj=system_u:object_r:etc_t:s0
And we are not using kerberos for any authentication on our system.
Ok usermod and useradd do the setfilecon calls. One thing you might want to
do is transition to useradd_t.
usermanage_domtrans_useradd(pwrecoverd_t)
User add currently has these two exceptions.
domain_obj_id_change_exemption(useradd_t)
domain_system_change_exemption(useradd_t)
It looks like you might need both if you want pwrecoveryd_t to do this.
Thanks, Anamitra
On 5/22/13 10:04 AM, "Daniel J Walsh" <dwalsh(a)redhat.com> wrote:
On 05/21/2013 02:04 PM, Anamitra Dutta Majumdar (anmajumd) wrote:
>>> Hi Dan,
>>>
>>> We added the domain_obj_id_change_exemption(pwrecoveryd_t) to our
>>> src module but no luck.
>>>
>>> And also our app does not do a setfscreatecon() call however from
>>> the syslogs we found Calls to setfscreate() by our app.
>>>
>>> Is there a way to look at the constraints on a RHEL5 box using
>>> seinfo.
>>>
>>> As indicated earlier in the email thread , the seinfo command on
>>> RHEL5 does not have the "--constrain" option.
>>>
>>>
>>> Thanks, Anamitra
>>>
Could you attach your current AVC messages? Are you using kerberos
libraries?
-- selinux mailing list selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird -
http://www.enigmail.net/
iEYEARECAAYFAlGeDlwACgkQrlYvE4MpobPXhACg2bzeslGGHgkaFDG1YyMaLI8q
u24An0uUlshoGjna+TmnR6m6iUSEb/Wg
=ak6P
-----END PGP SIGNATURE-----