On Mon, 2013-05-20 at 23:41 +0000, Anamitra Dutta Majumdar (anmajumd)
wrote:
> We managed to install setools and we see the following as the output of
> seinfo
>
> [root@cap-715-pub ~]# seinfo -xtpwrecoveryd_t
> Rule loading disabled
> pwrecoveryd_t
> @ttr0191
> @ttr1241
> @ttr2387
> @ttr2703
>
Yes this selinux installation seems very old. the attributes arent
translated to human readable so i cant really read it.
did you try assigning the domain type attribute to the pwrecoveryd_t
type?
You could enclose your source policy module , maybe that will enable me
to determine which attribute you need.
>
> Thanks,
> Anamitra
>
> On 5/20/13 2:51 PM, "Dominick Grift" <dominick.grift@xxxxxxxxx> wrote:
>
> >On Mon, 2013-05-20 at 20:44 +0000, Anamitra Dutta Majumdar (anmajumd)
> >wrote:
> >> Hi Dominick.
> >>
> >> 1. We do not have the seinfo utility available in our box so could not
> >>run
> >> it
> >>
> >
> >Well then its hard for me to speculate as to which attribute you need to
> >assign to your pwrecoveryd_t type
> >
> >you might start with: domain_type(pwrecoveryd_t)
> >
> >e.g. make it a domain type
> >
> >> 2. The AVC denial is
> >> type=AVC msg=audit(1369081665.408:8113): avc: denied { create } for
> >> pid=18379 comm="usermod" name="passwd+"
> >> scontext=specialuser_u:system_r:pwrecoveryd_t:s0
> >> tcontext=system_u:object_r:etc_t:s0 tclass=file
> >>
> >>
> >> 3. audit2why shows this
> >> type=AVC msg=audit(1369081665.408:8113): avc: denied { create } for
> >> pid=18379 comm="usermod" name="passwd+"
> >> scontext=specialuser_u:system_r:pwrecoveryd_t:s0
> >> tcontext=system_u:object_r:etc_t:s0 tclass=file
> >> Was caused by:
> >> Constraint violation.
> >> Check policy/constraints.
> >> Typically, you just need to add a type attribute to the
> >> domain to satisfy the constraint.
> >>
> >
> >So this tells you that its a policy constraint issue. A type enforcement
> >rule wont help you here. You need to assign the proper type attributes
> >to the pwrecoveryd_t type most likely
> >
> >probably "domain" type attribute
> >
> >
> >> Thanks,
> >> Anamitra
> >>
> >>
> >>
> >> On 5/20/13 12:30 PM, "Dominick Grift" <dominick.grift@xxxxxxxxx> wrote:
> >>
> >> >On Mon, 2013-05-20 at 19:25 +0000, Anamitra Dutta Majumdar (anmajumd)
> >> >wrote:
> >> >> We are seeing this on a RHEL5 based release of our product.
> >> >>
> >> >> The particular rule that is causing the issue is this .
> >> >>
> >> >> allow pwrecoveryd_t etc_t:file create;
> >> >
> >> >Kind of hard to speculate. Can you provide more info like for example:
> >> >
> >> >1. output of : seinfo -xtpwrecoveryd_t
> >> >2. the actual avc denial
> >> >3. what does audit2why say if you feed it that avc denial?
> >> >
> >> >>
> >> >> pwrecoveryd is a custom type and all the necessary policies have been
> >> >> loaded.
> >> >> However when we specifically add the above allow rule and load the
> >> >> policies on the target box.
> >> >> We keep on getting this exact same denial. This is the only denial
> >>that
> >> >> shows up
> >> >>
> >> >> Any pointers to the issue would be greatly appreciated.
> >> >>
> >> >> Thanks,
> >> >> Anamitra
> >> >>
> >> >>
> >> >>
> >> >> --
> >> >> selinux mailing list
> >> >> selinux@xxxxxxxxxxxxxxxxxxxxxxx
> >> >> https://admin.fedoraproject.org/mailman/listinfo/selinux
> >> >
> >> >
> >>
> >
> >
>
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
