grep dbus-daemon < /var/log/audit/audit.log | audit2allow -M *module_name1* then semodule -i *module_name1.pp *watch audit.log for other denial and do the same* 'grep .............. module_name2" *and so on* * On Mon, Dec 27, 2010 at 6:55 PM, Mr. Paul M. Whitney <paul.whitney@xxxxxx>wrote: > Hello everyone, I am having an issue with SELinux and Likewise Open. I > have managed to "successfully" install the product by setting SELinux to > permissive mode and have successfully joined it to a domain. I have also > used my AD credentials successfully. > > After rebooting and SELinux in enforced mode, I am getting the below > SELinux AVC denial. I "think" it may be because the .lsassd file is labeled > with a generic "var_lib_t" and perhaps it needs to be something like > "likewise_var_lib_t". I don't know and this is probably demonstrating my > ignorance with SELinux. I am running into dead ends or unrelated info on > Google, Red KB, and several people's blogs. > > Can someone please tell me how to overcome this denial with SELinux in > enforce mode? > > > Summary: > > SELinux is preventing dbus-daemon (system_dbusd_t) "write" to .lsassd > (var_lib_t). > > Detailed Description: > > SELinux is preventing dbus-daemon (system_dbusd_t) "write" to .lsassd > (var_lib_t). The SELinux type var_lib_t, is a generic type for all files in > the > directory and very few processes (SELinux Domains) are allowed to write to > this > SELinux type. This type of denial usual indicates a mislabeled file. By > default > a file created in a directory has the gets the context of the parent > directory, > but SELinux policy has rules about the creation of directories, that say if > a > process running in one SELinux Domain (D1) creates a file in a directory > with a > particular SELinux File Context (F1) the file gets a different File Context > (F2). The policy usually allows the SELinux Domain (D1) the ability to > write, > unlink, and append on (F2). But if for some reason a file (.lsassd) was > created > with the wrong context, this domain will be denied. The usual solution to > this > problem is to reset the file context on the target file, restorecon -v > '.lsassd'. If the file context does not change from var_lib_t, then this is > probably a bug in policy. Please file a bug report > (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against the > selinux-policy > package. If it does change, you can try your application again to see if it > works. The file context could have been mislabeled by editing the file or > moving > the file from a different directory, if the file keeps getting mislabeled, > check > the init scripts to see if they are doing something to mislabel the file. > > Allowing Access: > > You can attempt to fix file context by executing restorecon -v '.lsassd' > > The following command will allow this access: > > restorecon '.lsassd' > > Additional Information: > > Source Context system_u:system_r:system_dbusd_t > Target Context system_u:object_r:var_lib_t > Target Objects .lsassd [ sock_file ] > Source dbus-daemon > Source Path /bin/dbus-daemon > Port <Unknown> > Host delta.whitney.net > Source RPM Packages dbus-1.1.2-14.el5 > Target RPM Packages > Policy RPM selinux-policy-2.4.6-279.el5_5.1 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name mislabeled_file > Host Name delta.whitney.net > Platform Linux delta.whitney.net 2.6.18-194.17.4.el5 > #1 SMP > Wed Oct 20 13:03:08 EDT 2010 x86_64 x86_64 > Alert Count 80 > First Seen Mon 27 Dec 2010 11:03:37 AM EST > Last Seen Mon 27 Dec 2010 11:42:13 AM EST > Local ID f27ca755-0327-42a6-8755-e772887cecd7 > Line Numbers > > Raw Audit Messages > > host=delta.whitney.net type=AVC msg=audit(1293468133.661:172): avc: > denied { write } for pid=3827 comm="dbus-daemon" name=".lsassd" dev=dm-4 > ino=295012 scontext=system_u:system_r:system_dbusd_t:s0 > tcontext=system_u:object_r:var_lib_t:s0 tclass=sock_file > > host=delta.whitney.net type=SYSCALL msg=audit(1293468133.661:172): > arch=c000003e syscall=42 success=no exit=-13 a0=15 a1=7ffffab98d20 a2=6e > a3=0 items=1 ppid=1 pid=3827 auid=4294967295 uid=81 gid=81 euid=81 suid=81 > fsuid=81 egid=81 sgid=81 fsgid=81 tty=(none) ses=4294967295 > comm="dbus-daemon" exe="/bin/dbus-daemon" > subj=system_u:system_r:system_dbusd_t:s0 key=(null) > > host=delta.whitney.net type=PATH msg=audit(1293468133.661:172): item=0 > name=(null) inode=295012 dev=fd:04 mode=0140666 ouid=0 ogid=0 rdev=00:00 > obj=system_u:object_r:var_lib_t:s0 > > > > > -- > redhat-list mailing list > unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe > https://www.redhat.com/mailman/listinfo/redhat-list > -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
