Re: making a file context change work for initrc_t and unconfined_t

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, 2012-02-03 at 21:59 +0100, Dominick Grift wrote:
> On Fri, 2012-02-03 at 15:41 -0500, Maria Iano wrote:
> 
> > I installed the mylikewise policy. those two files do have the right  
> > type now. After I remove them they do get created with the right type.
> > 
> > After installing the new policy there were some additional AVCs. Here  
> > they are:
> > 
> > type=AVC msg=audit(1328288896.867:124): avc:  denied  { name_connect }  
> > for  pid=1803 comm="eventlogd" dest=135  
> > scontext=system_u:system_r:eventlogd_t:s0  
> > tcontext=system_u:object_r:epmap_port_t:s0 tclass=tcp_socket
> 
> add this to the mylikewise.te file:
> 
> corenet_tcp_connect_epmap_port(eventlogd_t)
> 
> 
> then just: make -f /usr/share/selinux/devel/Makefile mylikewise.pp; sudo
> semodule -i mylikewise.pp
> 
> > type=AVC msg=audit(1328288705.888:70): avc:  denied  { unlink } for   
> > pid=1803 comm="eventlogd" name=".eventlog" dev=dm-0 ino=392489  
> > scontext=system_u:system_r:eventlogd_t:s0  
> > tcontext=system_u:object_r:likewise_var_lib_t:s0 tclass=sock_file
> > 
> > type=AVC msg=audit(1328288542.603:69): avc:  denied  { write } for   
> > pid=1162 comm="lsassd" name=".eventlog" dev=dm-0 ino=392489  
> > scontext=system_u:system_r:lsassd_t:s0  
> > tcontext=system_u:object_r:likewise_var_lib_t:s0 tclass=sock_file
> > 
> 
> > type=AVC msg=audit(1328288542.586:68): avc:  denied  { getattr } for   
> > pid=1161 comm="lsassd"  
> > path 
> > = 
> > 2F7661722F6C69622F6C696B65776973652F6B72623563635F6C736173732E55532E41442E47414E4E4554542E434F4D202864656C6574656429 
> >   dev=dm-0 ino=394337 scontext=system_u:system_r:lsassd_t:s0  
> > tcontext=system_u:object_r:likewise_var_lib_t:s0 tclass=file
> > 
> > type=AVC msg=audit(1328288542.585:66): avc:  denied  { read write  
> > open } for  pid=1161 comm="lsassd" name="krb5cc_lsass.AD.DOMAIN"  
> > dev=dm-0 ino=394337 scontext=system_u:system_r:lsassd_t:s0  
> > tcontext=system_u:object_r:likewise_var_lib_t:s0 tclass=file
> > 
> > type=AVC msg=audit(1328288542.586:67): avc:  denied  { unlink } for   
> > pid=1161 comm="lsassd" name="krb5cc_lsass.AD.DOMAIN" dev=dm-0  
> > ino=394337 scontext=system_u:system_r:lsassd_t:s0  
> > tcontext=system_u:object_r:likewise_var_lib_t:s0 tclass=file
> > 
> > type=AVC msg=audit(1328287031.471:5): avc:  denied  { read } for   
> > pid=1165 comm="lsassd" name="lsass-adcache.filedb.AD.DOMAIN" dev=dm-0  
> > ino=395406 scontext=system_u:system_r:lsassd_t:s0  
> > tcontext=system_u:object_r:likewise_var_lib_t:s0 tclass=file
> > 
> > type=AVC msg=audit(1328287031.471:5): avc:  denied  { open } for   
> > pid=1165 comm="lsassd" name="lsass-adcache.filedbAD.DOMAIN" dev=dm-0  
> > ino=395406 scontext=system_u:system_r:lsassd_t:s0  
> > tcontext=system_u:object_r:likewise_var_lib_t:s0 tclass=file
> > 
> > type=AVC msg=audit(1328288893.067:123): avc:  denied  { unlink } for   
> > pid=1849 comm="lsassd" name="lsass-adcache.filedb.AD.DOMAIN" dev=dm-0  
> > ino=395406 scontext=system_u:system_r:lsassd_t:s0  
> > tcontext=system_u:object_r:likewise_var_lib_t:s0 tclass=file
> 
> 
> All of these are somehow wrong. There should be no files or sock files
> with the generic likewise_var_lib_t. Only some directories.
> 
> I wonder how these got created and or labeled this way.
> 
> None of the confined likewise processes should be allowed to create
> these with this type.
> 
> The strange thing is that i also do not see any AVC denials of their
> actual creation.
> 
> This leads me to suspect that these are mislabeled left overs. Could i
> be right?
> 

It is still a bug though because there are no file contexts specified
for these files and so we should specify them.

It means we need the actual full paths of the files.

example;

.eventlog
find /var/lib -inum 392489
find /var/lib -inum 394337
find /var/lib -inum 395406

it is important that all files have the proper file context
specification so that if for some reason the file system needs to be
relabeled the files will still have the proper type to avoid breakage
like we witnessed above.

> > Thank you,
> > Maria
> > 
> 
> 


--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux



[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux