[PATCH 1/2] Fix SELinux AVCs due to restorecond and shadow.db
Mahrud Sayrafi
dinovirus+NOSPAM at gmail.com
Thu Mar 14 08:58:37 UTC 2013
From: Mahrud Sayrafi <dinovirus at gmail.com>
Sample AVC:
Mar 14 04:49:33 bastion01.phx2.fedoraproject.org tag_audit_log: node=10.5.126.12 type=AVC msg=audit(1363236565.099:97140): avc: denied { relabelfrom } for pid=3979 comm="restorecond" name="shadow.db" dev=dm-0 ino=1055216 scontext=system_u:system_r:restorecond_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file
---
configs/system/selinux/modules/fedora.te | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/configs/system/selinux/modules/fedora.te b/configs/system/selinux/modules/fedora.te
index b9031f3..00d3fba 100644
--- a/configs/system/selinux/modules/fedora.te
+++ b/configs/system/selinux/modules/fedora.te
@@ -37,6 +37,7 @@ allow domain initrc_t:fifo_file write;
# This will be fixed once we fix the fasClient
auth_read_shadow(restorecond_t)
auth_relabelto_shadow(restorecond_t)
+auth_relabelfrom_shadow(restorecond_t)
allow system_mail_t httpd_sys_content_t:dir search;
dontaudit system_mail_t httpd_t:file read;
--
1.7.2.1
More information about the infrastructure
mailing list