Denial showing up even when allow rule appied

Tue May 21 15:30:22 UTC 2013

Hi Dominick,

We are already assigning the domain type attribute to pwrecoveryd_t and
with that
We are seeing this issue.

As for the seinfo utility we installed the latest rpm available from RHN
for the RHEL5 
Release train and this is the behavior we see.

Additionally the seinfo utility does not have the "--constrain" option
whereas the seinfo
In RHEL6 has this option which enables us to see all the constraints on
the system.

Thanks,
Anamitra

On 5/21/13 12:00 AM, "Dominick Grift" <dominick.grift at gmail.com> wrote:

>On Mon, 2013-05-20 at 23:41 +0000, Anamitra Dutta Majumdar (anmajumd)
>wrote:
>> We managed to install setools and we see the following as the output of
>> seinfo
>> 
>> [root at cap-715-pub ~]# seinfo -xtpwrecoveryd_t
>> Rule loading disabled
>>    pwrecoveryd_t
>>       @ttr0191
>>       @ttr1241
>>       @ttr2387
>>       @ttr2703
>> 
>
>Yes this selinux installation seems very old. the attributes arent
>translated to human readable so i cant really read it.
>
>did you try assigning the domain type attribute to the pwrecoveryd_t
>type?
>
>You could enclose your source policy module , maybe that will enable me
>to determine which attribute you need.
>
>> 
>> Thanks,
>> Anamitra
>> 
>> On 5/20/13 2:51 PM, "Dominick Grift" <dominick.grift at gmail.com> wrote:
>> 
>> >On Mon, 2013-05-20 at 20:44 +0000, Anamitra Dutta Majumdar (anmajumd)
>> >wrote:
>> >> Hi Dominick.
>> >> 
>> >> 1. We do not have the seinfo utility available in our box so could
>>not
>> >>run
>> >> it
>> >> 
>> >
>> >Well then its hard for me to speculate as to which attribute you need
>>to
>> >assign to your pwrecoveryd_t type
>> >
>> >you might start with: domain_type(pwrecoveryd_t)
>> >
>> >e.g. make it a domain type
>> >
>> >> 2. The AVC denial is
>> >> type=AVC msg=audit(1369081665.408:8113): avc:  denied  { create } for
>> >> pid=18379 comm="usermod" name="passwd+"
>> >> scontext=specialuser_u:system_r:pwrecoveryd_t:s0
>> >> tcontext=system_u:object_r:etc_t:s0 tclass=file
>> >> 
>> >> 
>> >> 3. audit2why shows this
>> >> type=AVC msg=audit(1369081665.408:8113): avc:  denied  { create } for
>> >> pid=18379 comm="usermod" name="passwd+"
>> >> scontext=specialuser_u:system_r:pwrecoveryd_t:s0
>> >> tcontext=system_u:object_r:etc_t:s0 tclass=file
>> >>         Was caused by:
>> >>                 Constraint violation.
>> >>                 Check policy/constraints.
>> >>                 Typically, you just need to add a type attribute to
>>the
>> >> domain to satisfy the constraint.
>> >> 
>> >
>> >So this tells you that its a policy constraint issue. A type
>>enforcement
>> >rule wont help you here. You need to assign the proper type attributes
>> >to the pwrecoveryd_t type most likely
>> >
>> >probably "domain" type attribute
>> >
>> >
>> >> Thanks,
>> >> Anamitra
>> >> 
>> >> 
>> >> 
>> >> On 5/20/13 12:30 PM, "Dominick Grift" <dominick.grift at gmail.com>
>>wrote:
>> >> 
>> >> >On Mon, 2013-05-20 at 19:25 +0000, Anamitra Dutta Majumdar
>>(anmajumd)
>> >> >wrote:
>> >> >> We are seeing this on a RHEL5 based release of our product.
>> >> >> 
>> >> >> The particular rule that is causing the issue is this .
>> >> >> 
>> >> >> allow pwrecoveryd_t etc_t:file create;
>> >> >
>> >> >Kind of hard to speculate. Can you provide more info like for
>>example:
>> >> >
>> >> >1. output of : seinfo -xtpwrecoveryd_t
>> >> >2. the actual avc denial
>> >> >3. what does audit2why say if you feed it that avc denial?
>> >> >
>> >> >> 
>> >> >> pwrecoveryd is a custom type and all the necessary policies have
>>been
>> >> >> loaded.
>> >> >> However when we specifically add the above allow rule and load the
>> >> >> policies on the target box.
>> >> >> We keep on getting this exact same denial. This is the only denial
>> >>that
>> >> >> shows up
>> >> >> 
>> >> >> Any pointers to the issue would be greatly appreciated.
>> >> >> 
>> >> >> Thanks,
>> >> >> Anamitra
>> >> >> 
>> >> >> 
>> >> >> 
>> >> >> --
>> >> >> selinux mailing list
>> >> >> selinux at lists.fedoraproject.org
>> >> >> https://admin.fedoraproject.org/mailman/listinfo/selinux
>> >> >
>> >> >
>> >> 
>> >
>> >
>> 
>
>