making a file context change work for initrc_t and unconfined_t

Dominick Grift dominick.grift at gmail.com
Tue Feb 7 23:09:34 UTC 2012 

On Tue, 2012-02-07 at 22:39 +0000, Christina Plummer wrote:

> Hi there,

Hi

> To start with, I've run "sudo semanage -i likewise-cmds", where likewise-cmds 
> contains the following (based on what I found in the likewise.fc from git as 
> well as Dominick's notes above -- replacing /usr/sbin 
> with /opt/likewise/sbin, and all instances of "likewise-open" with "likewise"):
> 
> fcontext -a -t likewise_var_lib_t "/var/lib/likewise(/.*)?"
> fcontext -a -t lsassd_var_socket_t /var/lib/likewise/.lsassd
> fcontext -a -t lwiod_var_socket_t /var/lib/likewise/.lwiod
> fcontext -a -t lwsmd_var_socket_t /var/lib/likewise/.lwsm
> fcontext -a -t lwsmd_var_lib_t /var/lib/likewise/.lwsmd-lock
> fcontext -a -t lwregd_var_socket_t /var/lib/likewise/.regsd
> fcontext -a -t netlogond_var_socket_t /var/lib/likewise/.netlogond
> fcontext -a -t lsassd_var_socket_t /var/lib/likewise/.ntlmd
> fcontext -a -t netlogond_var_lib_t /var/lib/likewise/krb5-affinity.conf
> fcontext -a -t lsassd_var_lib_t "/var/lib/likewise/krb5cc_lsass(.*)?"
> fcontext -a -t eventlogd_var_lib_t /var/lib/likewise/db/lwi_events.db
> fcontext -a -t lsassd_var_lib_t /var/lib/likewise/db/sam.db
> fcontext -a -t lsassd_var_lib_t "/var/lib/likewise/db/lsass-adcache.filedb.
> (.*)?"
> fcontext -a -t lwregd_var_lib_t /var/lib/likewise/db/registry.db
> fcontext -a -t lsassd_var_socket_t /var/lib/likewise/rpc/lsass
> fcontext -a -t likewise_krb5_ad_t /etc/likewise/likewise-krb5-ad.conf
> fcontext -a -t likewise_etc_t "/etc/likewise(/.*)?"
> fcontext -a -t dcerpcd_exec_t /opt/likewise/sbin/dcerpcd
> fcontext -a -t eventlogd_exec_t /opt/likewise/sbin/eventlogd
> fcontext -a -t lsassd_exec_t /opt/likewise/sbin/lsassd
> fcontext -a -t lwiod_exec_t /opt/likewise/sbin/lwiod
> fcontext -a -t lwregd_exec_t /opt/likewise/sbin/lwregd
> fcontext -a -t lwsmd_exec_t /opt/likewise/sbin/lwsmd
> fcontext -a -t netlogond_exec_t /opt/likewise/sbin/netlogond

A lot of the above file context specifications are wrong because you
have not specified what classof object it is for.

The -f option allows you to specify what type of object the
specificationis for

example -f -- is a file, -f -d is a dir, -f -s is a sock file
(those are the most common objects but there are also character,
block,fifo and link files.

> I added some wildcards in there because some of the files get created with the 
> Active Directory domain name appended to them, namely:
> 
> /var/lib/likewise/krb5cc_lsass.MYDOMAIN.NET
> /var/lib/likewise/db/lsass-adcache.filedb.MYDOMAIN.NET

Yes that is good. Just append .* to the file name or so.


> After running "restorecon -R -F -v" on all those directories and rebooting, I 
> just got these denials:
> 
> type=AVC msg=audit(02/07/2012 21:55:59.592:23979) : avc:  denied  { open } for  
> pid=1671 comm=lsassd name=krb5cc_1040237070 dev=dm-4 ino=17 
> scontext=system_u:system_r:lsassd_t:s0 
> tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=file

Looks like a init script (or a process running in the init script
domain) created a file with name krb5cc_1040237070 in /tmp (inode 17 on
device dm-4 to be exact)

/tmp should not be used by system wide services. I am not sure where and
if you can configure whatever created that file and tell it to use a
proper place like /var/lib/$APP but if possible then that is best

Also you should figure out what created this (was it some init script?).
It might be that some process was running in the init script domain due
to a mislabeled executable file (ps auxZ | grep initrc_t)

> type=AVC msg=audit(02/07/2012 21:55:59.592:23979) : avc:  denied  { read } for  
> pid=1671 comm=lsassd name=krb5cc_1040237070 dev=dm-4 ino=17 
> scontext=system_u:system_r:lsassd_t:s0 
> tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=file
> type=AVC msg=audit(02/07/2012 21:55:59.600:23980) : avc:  denied  { lock } for  
> pid=1671 comm=lsassd path=/tmp/krb5cc_1040237070 dev=dm-4 ino=17 
> scontext=system_u:system_r:lsassd_t:s0 
> tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=file
> type=AVC msg=audit(02/07/2012 21:55:59.609:23981) : avc:  denied  { unlink } 
> for  pid=1671 comm=lsassd name=krb5cc_1040237070 dev=dm-4 ino=17 
> scontext=system_u:system_r:lsassd_t:s0 
> tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=file
> 
> There were also a bunch of getattr denials on stuff in /proc.

Yes i know.

> Those files in /tmp are owned by me, apparently created when I logged in.  They 
> might have been left over from before.  
> Otherwise, everything looks good so far.
> 
> I haven't tried building the additional "mylikewise" policy yet, but I can do 
> that next.  I can also start over on a fresh box if that would be helpful.

I can create a loadable module based off of the patch that i will attach
below that will take care of the file context specs as well as the
additional policy you might need to get this to work.

Would be great if you could apply that and see if that works for you.

Unfortunately it is a bit late currently here and i need my rest now but
i will work tomorrow on the loadable policy module and send it to the
list. So you should be able to apply it tomorrow.

> Thanks,
> Christina
> 

Thank you

More information about the selinux mailing list