Denial showing up even when allow rule appied
Anamitra Dutta Majumdar (anmajumd)
anmajumd at cisco.com
Tue May 21 18:04:45 UTC 2013
Hi Dan,
We added the domain_obj_id_change_exemption(pwrecoveryd_t) to our src
module but no luck.
And also our app does not do a setfscreatecon() call however from the
syslogs we found
Calls to setfscreate() by our app.
Is there a way to look at the constraints on a RHEL5 box using seinfo.
As indicated earlier in the email thread , the seinfo command on RHEL5
does not have the
"--constrain" option.
Thanks,
Anamitra
On 5/21/13 8:36 AM, "Anamitra Dutta Majumdar (anmajumd)"
<anmajumd at cisco.com> wrote:
>Hi Dan,
>
>Thanks for the pointer . Will give this a try.
>
>-Anamitra
>
>On 5/21/13 6:07 AM, "Daniel J Walsh" <dwalsh at redhat.com> wrote:
>
>>-----BEGIN PGP SIGNED MESSAGE-----
>>Hash: SHA1
>>
>>
>>> 2. The AVC denial is type=AVC msg=audit(1369081665.408:8113): avc:
>>>denied
>>> { create } for pid=18379 comm="usermod" name="passwd+"
>>> scontext=specialuser_u:system_r:pwrecoveryd_t:s0
>>> tcontext=system_u:object_r:etc_t:s0 tclass=file
>>
>>The avc shows a process running as SELinux user is attempting to create a
>>file
>>labeled system_u:object_r:etc_t:s0. Since you are changing the SELinux
>>user
>>component you get an AVC. Does your app do a setfscreatecon() call?
>>
>>domain_obj_id_change_exemption(pwrecoveryd_t) is probably what you need.
>>-----BEGIN PGP SIGNATURE-----
>>Version: GnuPG v1.4.13 (GNU/Linux)
>>Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>>
>>iEYEARECAAYFAlGbcZkACgkQrlYvE4MpobMVegCfVG3yKECgQriAUxY8mxAA85cJ
>>cP8AnisdaxW1NcIvuwMzRp65r+/KiEeV
>>=R7ik
>>-----END PGP SIGNATURE-----
>
>--
>selinux mailing list
>selinux at lists.fedoraproject.org
>https://admin.fedoraproject.org/mailman/listinfo/selinux
More information about the selinux
mailing list