On Fri, 22 Aug 2008 13:07:48 -0400 Stephen wrote:
SS> > type=AVC msg=audit(1219421464.372:719): avc: denied { getattr } for
SS> > pid=2436 comm="kadmind" path="/var/tmp/kadmin_0" dev=dm-5 ino=82064
SS> > scontext=system_u:system_r:kadmind_t:s0-s15:c0.c1023
SS> > tcontext=system_u:object_r:unlabeled_t:s15:c0.c1023 tclass=file
SS>
SS> The real question there is why is that file labeled unlabeled_t? That
SS> usually indicates that its context was invalidated, e.g. you removed the
SS> type from the policy?
I haven't touched policy... The file must be left over from when the box
was running in targeted mode... I did relabel, but then there's this:
/etc/selinux/mls/contexts/files/file_contexts:/var/tmp/.* <<none>>
SS> BTW, aside from the wrong type on the file, the denial is clearly a MLS
SS> denial - look at the levels on the two contexts. You have a process
SS> whose current/low level is s0 (aka SystemLow) trying to getattr (read
SS> flow) a file at s15:c0.c1023 (aka SystemHigh). No surprises there.
SS> The high level of the process is only used as a ceiling for newrole -l
SS> or if the process' domain has certain MLS privileges allowing it to act
SS> up to its ceiling.
I couldn't delete the file in enforcing mode, even after 'newrole -l
SystemHigh'. So I dropped to permissive and deleted the file. After
that, kadmin started fine and the file was recreated with SystemLow.
--
Robert Story
SPARTA
Attachment:
signature.asc
Description: PGP signature
-- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
