problem with likewise and audit messages

Maria Iano maria at iano.org
Tue May 31 16:33:29 UTC 2011 

On May 31, 2011, at 11:31 AM, Dominick Grift wrote:

>
>
> On Tue, 2011-05-31 at 11:17 -0400, Maria Iano wrote:
>
>> Is there some way  to prevent auditd from logging these AVC messages?
>>
>> type=AVC msg=audit(1306183684.644:121931): avc:  denied   
>> { connectto }
>> for  pid=31266 comm="vsftpd" path="/var/lib/likewise/.lsassd"
>> scontext=system_u:system_r:ftpd_t:s0
>> tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket
>>
>> type=AVC msg=audit(1306185430.740:122001): avc:  denied  { write }
>> for  pid=378 comm="pickup" name=".lsassd" dev=dm-1 ino=426071
>> scontext=system_u:system_r:postfix_pickup_t:s0
>> tcontext=system_u:object_r:var_lib_t:s0 tclass=sock_file
>>
>> type=AVC msg=audit(1306179615.139:121656): avc:  denied   
>> { connectto }
>> for  pid=22431 comm="httpd" path="/var/lib/likewise/.lsassd"
>> scontext=user_u:system_r:httpd_t:s0
>> tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket
>>
>> type=USER_AUTH msg=audit(1306265986.269:124088): user pid=25822 uid=0
>> auid=4294967295 subj=system_u:system_r:unconfined_t:s0-s0:c0.c1023
>> msg='PAM: authentication acct="layout" : exe="/usr/sbin/
>> sshd" (hostname=asb-sys61.us.ad.gannett.com, addr=10.0.65.242,
>> terminal=ssh res=failed)'
>>
>> type=AVC msg=audit(1306853338.309:51215): avc:  denied  { write } for
>> pid=5472 comm="genhomedircon" name=".lsassd" dev=dm-4 ino=32827
>> scontext=user_u:system_r:semanage_t:s0
>> tcontext=system_u:object_r:var_lib_t:s0 tclass=sock_file
>>
>> type=AVC msg=audit(1306853338.309:51215): avc:  denied  { connectto }
>> for  pid=5472 comm="genhomedircon" path="/var/lib/likewise/.lsassd"
>> scontext=user_u:system_r:semanage_t:s0
>> tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket
>
> I am not sure whether "el5" supports it but i guess you could try  
> piping
> the avc denials into "audit2allow -DM mydontauditsforlikewise"
>
> And then load it into the system with "semodule -i
> mydontauditsforlikewise.pp"
>
> If that does not work you could write a policy module manually:
>
> mkdir mylw; cd mylw; echo "policy_module(mylw, 1.0.0) gen_require(\`
> type semanage_t, initrc_t, var_lib_t, ftpd_t, httpd_t,  
> postfix_pickup_t;
> ') dontaudit { httpd_t ftpd_t semanage_t postfix_pickup_t }
> initrc_t:unix_stream_socket connectto; dontaudit { httpd_t ftpd_t
> semanage_t, postfix_pickup_t } var_lib_t:sock_file
> write_sock_file_perms;" >> mylw.te
>
> (yum install selinux-policy-devel)
>
> make -f /usr/share/selinux/devel/Makefile mylw.pp
> sudo semodule -i mylw.pp
>
> Although hidding these may have consequences for example attempts by
> httpd, ftpd etc to connect to any service with a unix stream socket
> running in the init script domain will be hidden.
>
> Same for any of those domain trying to write to var_lib_t sock files.

I don't want to allow that access. I just want auditd to not log it.

More information about the selinux mailing list