Denial showing up even when allow rule appied
Anamitra Dutta Majumdar (anmajumd)
anmajumd at cisco.com
Wed May 22 19:35:35 UTC 2013
Hi Dan ,
Here is the related AVC denial
type=AVC msg=audit(1369177581.853:57912): avc: denied { create } for
pid=18778 comm="usermod" name="passwd+"
scontext=specialuser_u:system_r:pwrecoveryd_t:s0
tcontext=system_u:object_r:etc_t:s0 tclass=file
type=SYSCALL msg=audit(1369177581.853:57912): arch=40000003 syscall=5
success=yes exit=5 a0=bff19038 a1=8241 a2=1b6 a3=9df3670 items=2
ppid=18765 pid=18778 auid=503 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=tty1 ses=1624 comm="usermod" exe="/usr/sbin/usermod"
subj=specialuser_u:system_r:pwrecoveryd_t:s0 key=(null)
type=CWD msg=audit(1369177581.853:57912): cwd="/home/pwrecovery"
type=PATH msg=audit(1369177581.853:57912): item=0 name="/etc/"
inode=3103841 dev=08:01 mode=040755 ouid=0 ogid=0 rdev=00:00
obj=system_u:object_r:etc_t:s0type=PATH msg=audit(1369177581.853:57912):
item=1 name="/etc/passwd+" inode=3105686 dev=08:01 mode=0100000 ouid=0
ogid=0 rdev=00:00 obj=system_u:object_r:etc_t:s0
And we are not using kerberos for any authentication on our system.
Thanks,
Anamitra
On 5/22/13 10:04 AM, "Daniel J Walsh" <dwalsh at redhat.com> wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>On 05/21/2013 02:04 PM, Anamitra Dutta Majumdar (anmajumd) wrote:
>> Hi Dan,
>>
>> We added the domain_obj_id_change_exemption(pwrecoveryd_t) to our src
>> module but no luck.
>>
>> And also our app does not do a setfscreatecon() call however from the
>> syslogs we found Calls to setfscreate() by our app.
>>
>> Is there a way to look at the constraints on a RHEL5 box using seinfo.
>>
>> As indicated earlier in the email thread , the seinfo command on RHEL5
>>does
>> not have the "--constrain" option.
>>
>>
>> Thanks, Anamitra
>>
>
>Could you attach your current AVC messages? Are you using kerberos
>libraries?
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.4.13 (GNU/Linux)
>Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
>iEYEARECAAYFAlGc+pwACgkQrlYvE4MpobN/6QCgtqqBj0lc0PJQqp7gIGUNwB+N
>ptkAoKu36vK2vcqUgymCVyNbQ9Va5hYh
>=+6sy
>-----END PGP SIGNATURE-----
More information about the selinux
mailing list