Hi Dominick.
1. We do not have the seinfo utility available in our box so could not run
it
2. The AVC denial is
type=AVC msg=audit(1369081665.408:8113): avc: denied { create } for
pid=18379 comm="usermod" name="passwd+"
scontext=specialuser_u:system_r:pwrecoveryd_t:s0
tcontext=system_u:object_r:etc_t:s0 tclass=file
3. audit2why shows this
type=AVC msg=audit(1369081665.408:8113): avc: denied { create } for
pid=18379 comm="usermod" name="passwd+"
scontext=specialuser_u:system_r:pwrecoveryd_t:s0
tcontext=system_u:object_r:etc_t:s0 tclass=file
Was caused by:
Constraint violation.
Check policy/constraints.
Typically, you just need to add a type attribute to the
domain to satisfy the constraint.
Thanks,
Anamitra
On 5/20/13 12:30 PM, "Dominick Grift" <dominick.grift(a)gmail.com> wrote:
On Mon, 2013-05-20 at 19:25 +0000, Anamitra Dutta Majumdar (anmajumd)
wrote:
> We are seeing this on a RHEL5 based release of our product.
>
> The particular rule that is causing the issue is this .
>
> allow pwrecoveryd_t etc_t:file create;
Kind of hard to speculate. Can you provide more info like for example:
1. output of : seinfo -xtpwrecoveryd_t
2. the actual avc denial
3. what does audit2why say if you feed it that avc denial?
>
> pwrecoveryd is a custom type and all the necessary policies have been
> loaded.
> However when we specifically add the above allow rule and load the
> policies on the target box.
> We keep on getting this exact same denial. This is the only denial that
> shows up
>
> Any pointers to the issue would be greatly appreciated.
>
> Thanks,
> Anamitra
>
>
>
> --
> selinux mailing list
> selinux(a)lists.fedoraproject.org
>
https://admin.fedoraproject.org/mailman/listinfo/selinux