making a file context change work for initrc_t and unconfined_t
Dominick Grift
dominick.grift at gmail.com
Fri Feb 3 00:10:43 UTC 2012
On Thu, 2012-02-02 at 17:58 -0500, Maria Iano wrote:
Alright let's walk through this:
( A few rules may be duplicate rules, there might also be some typo's )
mkdir ~/mylikewise; cd ~/mylikewise; echo "policy_module(mylikewise,
1.0.0)" > mylikewise.te;
> Here is the list:
>
> type=AVC msg=audit(1328198424.686:20): avc: denied { write } for
> pid=1165 comm="lwiod" name=".netlogond" dev=dm-0 ino=393091
> scontext=system_u:system_r:lwiod_t:s0
> tcontext=system_u:object_r:netlogond_var_socket_t:s0 tclass=sock_file
> type=AVC msg=audit(1328198424.686:20): avc: denied { connectto }
> for pid=1165 comm="lwiod" path="/var/lib/likewise/.netlogond"
> scontext=system_u:system_r:lwiod_t:s0
> tcontext=system_u:system_r:netlogond_t:s0 tclass=unix_stream_socket
echo "optional_policy(\` gen_require(\` type lwiod_t, netlogond_t,
netlogond_var_socket_t, likewise_var_lib_t; ')
stream_connect_pattern(lwiod_t, likewise_var_lib_t,
netlogond_var_socket_t, netlogond_t)')" >> mylikewise.te;
> type=AVC msg=audit(1328203534.556:16): avc: denied { getattr } for
> pid=1141 comm="lwsmd" path="/etc/likewise/likewise-krb5-ad.conf"
> dev=dm-0 ino=786321 scontext=system_u:system_r:lwsmd_t:s0
> tcontext=system_u:object_r:likewise_krb5_ad_t:s0 tclass=file
> type=AVC msg=audit(1328203534.536:14): avc: denied { getattr } for
> pid=1141 comm="lwsmd" path="/var/lib/likewise/krb5-affinity.conf"
> dev=dm-0 ino=395410 scontext=system_u:system_r:lwsmd_t:s0
> tcontext=system_u:object_r:netlogond_var_lib_t:s0 tclass=file
echo "optional_policy(\` gen_require(\` type lwsmd_t,
netlogond_var_lib_t, likewise_krb5_ad_t; ') allow lwsmd_t
{ netlogond_var_lib_t likewise_krb5_ad_t }:file getattr_file_perms; ')"
>> mylikewise.te;
> type=AVC msg=audit(1328203534.221:9): avc: denied { getattr } for
> pid=1143 comm="eventlogd" path="/var/lib/likewise/db/lwi_events.db"
> dev=dm-0 ino=395386 scontext=system_u:system_r:eventlogd_t:s0
> tcontext=unconfined_u:object_r:likewise_var_lib_t:s0 tclass=file
!!!! Something wrong here this file should have been created with type
eventlogd_var_lib_t
echo "optional_policy(\` gen_require(\` type eventlogd_t,
likewise_var_lib_t; ') allow eventlogd_t likewise_var_lib_t:file
getattr_file_perms; ')" >> mylikewise.te;
> type=AVC msg=audit(1328200531.030:128): avc: denied { getattr } for
> pid=1486 comm="lsassd" path="/proc/1043" dev=proc ino=10798
> scontext=system_u:system_r:lsassd_t:s0
> tcontext=system_u:system_r:auditd_t:s0 tclass=dir
echo "optional_policy(\` gen_require(\` type lsassd_t; ')
domain_dontaudit_search_all_domains_state(lsassd_t)')" >> mylikewise.te;
> type=AVC msg=audit(1328198423.037:5): avc: denied { lock } for
> pid=1108 comm="lwsmd" path="/var/lib/likewise/.lwsmd-lock" dev=dm-0
> ino=395380 scontext=system_u:system_r:lwsmd_t:s0
> tcontext=unconfined_u:object_r:likewise_var_lib_t:s0 tclass=file
??? i was expecting a private type for .lwsmd-lock.
echo "optional_policy(\` gen_require(\` type lwsmd_t,
likewise_var_lib_t; ') allow lwsmd_t likewise_var_lib_t:file lock;')" >>
mylikewise.te;
>
> type=AVC msg=audit(1328198424.260:19): avc: denied { lock } for
> pid=1151 comm="eventlogd" path="/var/lib/likewise/db/lwi_events.db"
> dev=dm-0 ino=395386 scontext=system_u:system_r:eventlogd_t:s0
> tcontext=unconfined_u:object_r:likewise_var_lib_t:s0 tclass=file
!!! something is wrong here, this file should have been created with type eventlogd_var_lib_t
echo "optional_policy(` gen_require(` type eventlogd_t,
likewise_var_lib_t; ') allow eventlogd_t likewise_var_lib_t:file lock;
')" >> mylikewise.te;
> type=AVC msg=audit(1328198423.032:4): avc: denied { write } for
> pid=1108 comm="lwsmd" name=".lwsmd-lock" dev=dm-0 ino=395380
> scontext=system_u:system_r:lwsmd_t:s0
> tcontext=unconfined_u:object_r:likewise_var_lib_t:s0 tclass=file
> type=AVC msg=audit(1328198423.032:4): avc: denied { open } for
> pid=1108 comm="lwsmd" name=".lwsmd-lock" dev=dm-0 ino=395380
> scontext=system_u:system_r:lwsmd_t:s0
> tcontext=unconfined_u:object_r:likewise_var_lib_t:s0 tclass=file
??? i was expecting a private type for this file
echo "optional_policy(\` gen_require(\` type lwsmd_t,
likewise_var_lib_t; ') allow lwsmd_t likewise_var_lib_t:file
write_file_perms; ')" >> mylikewise.te
> type=AVC msg=audit(1328198423.043:6): avc: denied { read } for
> pid=1108 comm="lwsmd" name="stat" dev=proc ino=4026532032
> scontext=system_u:system_r:lwsmd_t:s0
> tcontext=system_u:object_r:proc_t:s0 tclass=file
> type=AVC msg=audit(1328198423.043:6): avc: denied { open } for
> pid=1108 comm="lwsmd" name="stat" dev=proc ino=4026532032
> scontext=system_u:system_r:lwsmd_t:s0
> tcontext=system_u:object_r:proc_t:s0 tclass=file
echo "optional_policy(\` gen_require(\` type lwsmd_t; ')
kernel_read_system_state(lwsmd_t)')" >> mylikewise.te;
> type=AVC msg=audit(1328198423.343:8): avc: denied { read } for
> pid=1112 comm="lwregd" name="stat" dev=proc ino=4026532032
> scontext=system_u:system_r:lwregd_t:s0
> tcontext=system_u:object_r:proc_t:s0 tclass=file
> type=AVC msg=audit(1328198423.343:8): avc: denied { open } for
> pid=1112 comm="lwregd" name="stat" dev=proc ino=4026532032
> scontext=system_u:system_r:lwregd_t:s0
> tcontext=system_u:object_r:proc_t:s0 tclass=file
echo "optional_policy(\` gen_require(\` type lwregd_t; ')
kernel_read_system_state(lwregd_t)')" >> mylikewise.te;
> type=AVC msg=audit(1328203534.538:15): avc: denied { read } for
> pid=1141 comm="lwsmd" name="krb5-affinity.conf" dev=dm-0 ino=395410
> scontext=system_u:system_r:lwsmd_t:s0
> tcontext=system_u:object_r:netlogond_var_lib_t:s0 tclass=file
> type=AVC msg=audit(1328203534.538:15): avc: denied { open } for
> pid=1141 comm="lwsmd" name="krb5-affinity.conf" dev=dm-0 ino=395410
> scontext=system_u:system_r:lwsmd_t:s0
> tcontext=system_u:object_r:netlogond_var_lib_t:s0 tclass=file
> type=AVC msg=audit(1328203534.557:17): avc: denied { read } for
> pid=1141 comm="lwsmd" name="likewise-krb5-ad.conf" dev=dm-0 ino=786321
> scontext=system_u:system_r:lwsmd_t:s0
> tcontext=system_u:object_r:likewise_krb5_ad_t:s0 tclass=file
> type=AVC msg=audit(1328203534.557:17): avc: denied { open } for
> pid=1141 comm="lwsmd" name="likewise-krb5-ad.conf" dev=dm-0 ino=786321
> scontext=system_u:system_r:lwsmd_t:s0
> tcontext=system_u:object_r:likewise_krb5_ad_t:s0 tclass=file
echo "optional_policy(\` gen_require(\` type lwsmd_t,
netlogond_var_lib_t, likewise_krb5_ad_t; ') allow lwsmd_t
{ netlogond_var_lib_t likewise_krb5_ad_t }:file read_file_perms; ')" >>
mylikewise.te;
>
> type=AVC msg=audit(1328203534.223:10): avc: denied { read } for
> pid=1143 comm="eventlogd" name="stat" dev=proc ino=4026532032
> scontext=system_u:system_r:eventlogd_t:s0
> tcontext=system_u:object_r:proc_t:s0 tclass=file
> type=AVC msg=audit(1328203534.223:10): avc: denied { open } for
> pid=1143 comm="eventlogd" name="stat" dev=proc ino=4026532032
> scontext=system_u:system_r:eventlogd_t:s0
> tcontext=system_u:object_r:proc_t:s0 tclass=file
echo "optional_policy(\` gen_require(\` type eventlogd_t; ')
kernel_read_system_state(eventlogd_t)')" >> mylikewise.te;
>
> type=AVC msg=audit(1328203534.286:11): avc: denied { read } for
> pid=1150 comm="netlogond" name="stat" dev=proc ino=4026532032
> scontext=system_u:system_r:netlogond_t:s0
> tcontext=system_u:object_r:proc_t:s0 tclass=file
> type=AVC msg=audit(1328203534.286:11): avc: denied { open } for
> pid=1150 comm="netlogond" name="stat" dev=proc ino=4026532032
> scontext=system_u:system_r:netlogond_t:s0
> tcontext=system_u:object_r:proc_t:s0 tclass=file
echo "optional_policy(\` gen_require(\` type netlogond_t; ')
kernel_read_system_state(netlogond_t)')" >> mylikewise.te;
>
> type=AVC msg=audit(1328198424.259:18): avc: denied { read write }
> for pid=1151 comm="eventlogd" name="lwi_events.db" dev=dm-0
> ino=395386 scontext=system_u:system_r:eventlogd_t:s0
> tcontext=unconfined_u:object_r:likewise_var_lib_t:s0 tclass=file
> type=AVC msg=audit(1328198424.259:18): avc: denied { open } for
> pid=1151 comm="eventlogd" name="lwi_events.db" dev=dm-0 ino=395386
> scontext=system_u:system_r:eventlogd_t:s0
> tcontext=unconfined_u:object_r:likewise_var_lib_t:s0 tclass=file
mislabeled: should by eventlogd_var_lib_t
echo "optional_policy(\` gen_require(\` type eventlogd_t,
likewise_var_lib_t; ') allow eventlogd_t likewise_var_lib_t:file
rw_file_perms; ')" >> mylikewise.te;
>
> type=AVC msg=audit(1328198423.936:12): avc: denied { read } for
> pid=1164 comm="lwiod" name="stat" dev=proc ino=4026532032
> scontext=system_u:system_r:lwiod_t:s0
> tcontext=system_u:object_r:proc_t:s0 tclass=file
> type=AVC msg=audit(1328198423.936:12): avc: denied { open } for
> pid=1164 comm="lwiod" name="stat" dev=proc ino=4026532032
> scontext=system_u:system_r:lwiod_t:s0
echo "optional_policy(\` gen_require(\` type lwiod_t; ')
kernel_read_system_state(lwiod_t)')" >> mylikewise.te;
>
> type=AVC msg=audit(1328198350.869:21213): avc: denied { read } for
> pid=1912 comm="lwsmd" name="krb5-affinity.conf" dev=dm-0 ino=395406
> scontext=system_u:system_r:lwsmd_t:s0
> tcontext=system_u:object_r:netlogond_var_lib_t:s0 tclass=file
> type=AVC msg=audit(1328198350.869:21213): avc: denied { open } for
> pid=1912 comm="lwsmd" name="krb5-affinity.conf" dev=dm-0 ino=395406
> scontext=system_u:system_r:lwsmd_t:s0
> tcontext=system_u:object_r:netlogond_var_lib_t:s0 tclass=file
>
> type=AVC msg=audit(1328198350.873:21215): avc: denied { read } for
> pid=1912 comm="lwsmd" name="likewise-krb5-ad.conf" dev=dm-0 ino=786321
> scontext=system_u:system_r:lwsmd_t:s0
> tcontext=system_u:object_r:likewise_krb5_ad_t:s0 tclass=file
> type=AVC msg=audit(1328198350.873:21215): avc: denied { open } for
> pid=1912 comm="lwsmd" name="likewise-krb5-ad.conf" dev=dm-0 ino=786321
> scontext=system_u:system_r:lwsmd_t:s0
> tcontext=system_u:object_r:likewise_krb5_ad_t:s0 tclass=file
echo "optional_policy(\` gen_require(\` type lwsmd_t,
likewise_krb5_ad_t, netlogond_var_lib_t; ') allow lwsmd_t
{ likewise_krb5_ad_t netlogond_var_lib_t }:file read_file_perms; ')" >>
mylikewise.te;
> type=AVC msg=audit(1328198423.053:7): avc: denied { setpgid } for
> pid=1112 comm="lwsmd" scontext=system_u:system_r:lwsmd_t:s0
> tcontext=system_u:system_r:lwsmd_t:s0 tclass=process
echo "optional_policy(\` gen_require(\` type lwsmd_t; ') allow lwsmd_t
self:process setpgid; ')" >> mylikewise.te;
>
> type=AVC msg=audit(1328198423.945:13): avc: denied { setrlimit }
> for pid=1164 comm="lwiod" scontext=system_u:system_r:lwiod_t:s0
> tcontext=system_u:system_r:lwiod_t:s0 tclass=process
> type=AVC msg=audit(1328198423.945:13): avc: denied { sys_resource }
> for pid=1164 comm="lwiod" capability=24
> scontext=system_u:system_r:lwiod_t:s0
> tcontext=system_u:system_r:lwiod_t:s0 tclass=capability
echo "optional_policy(\` gen_require(\` type lwiod_t; ') allow lwiod_t
self:capability setrlimit; ')" >> mylikewise.te;
>
>
>
There is one file that somehow was created with the wrong type or
mislabeled otherwise:
/var/lib/likewise/db/lwi_events.db (should have type eventlogd_var_lib_t
and not likewise_var_lib_t)
This file should have been created by eventlogd, and if it was i would
have been created with the right type? strange...
make -f /usr/share/selinux/devel/Makefile mylikewise.pp
sudo semodule -i mylikewise.pp
Please test again (make sure you restore all locations
including /var/lib/likewise)
if any questions or comments please do not hesitate to ask.
I am looking forward to your reply.
More information about the selinux
mailing list