On Wed, 2012-02-08 at 00:09 +0100, Dominick Grift wrote:
>
> type=AVC msg=audit(02/07/2012 21:55:59.592:23979) : avc: denied { open } for
> pid=1671 comm=lsassd name=krb5cc_1040237070 dev=dm-4 ino=17
> scontext=system_u:system_r:lsassd_t:s0
> tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=file
Looks like a init script (or a process running in the init script
domain) created a file with name krb5cc_1040237070 in /tmp (inode 17 on
device dm-4 to be exact)
/tmp should not be used by system wide services. I am not sure where and
if you can configure whatever created that file and tell it to use a
proper place like /var/lib/$APP but if possible then that is best
Also you should figure out what created this (was it some init script?).
It might be that some process was running in the init script domain due
to a mislabeled executable file (ps auxZ | grep initrc_t)
I am actually pretty sure it was created by either lsassd or maybe but
less likely the lsassd init script (or the main likewise init script if
you do not have a separate lsassd init script). May also be a left over
from earlier before you applied the proper file contexts (that is
actually what i suspect)
> type=AVC msg=audit(02/07/2012 21:55:59.592:23979) : avc: denied
{ read } for
> pid=1671 comm=lsassd name=krb5cc_1040237070 dev=dm-4 ino=17
> scontext=system_u:system_r:lsassd_t:s0
> tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=file
> type=AVC msg=audit(02/07/2012 21:55:59.600:23980) : avc: denied { lock } for
> pid=1671 comm=lsassd path=/tmp/krb5cc_1040237070 dev=dm-4 ino=17
> scontext=system_u:system_r:lsassd_t:s0
> tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=file
> type=AVC msg=audit(02/07/2012 21:55:59.609:23981) : avc: denied { unlink }
> for pid=1671 comm=lsassd name=krb5cc_1040237070 dev=dm-4 ino=17
> scontext=system_u:system_r:lsassd_t:s0
> tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=file
>