Re: SELinux and Likewise Open Issue

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



How do I extrapolate the module name?  Here is an example audit entry:

1 suid=81 fsuid=81 egid=81 sgid=81 fsgid=81 tty=(none) ses=4294967295 comm="dbus-daemon" exe="/bin/dbus-daemon" subj=system_u:system_r:system_dbusd_t:s0 key=(null)
type=AVC msg=audit(1293548941.586:158): avc:  denied  { write } for  pid=3811 comm="dbus-daemon" name=".lsassd" dev=dm-4 ino=295011 scontext=system_u:system_r:system_dbusd_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=sock_file

Paul


On Dec 28, 2010, at 12:40 AM, Gabi C wrote:

> grep dbus-daemon < /var/log/audit/audit.log | audit2allow -M *module_name1*
> then semodule -i  *module_name1.pp
> 
> *watch audit.log for other denial and do the same* 'grep ..............
> module_name2" *and so on*
> 
> 
> 
> *
> On Mon, Dec 27, 2010 at 6:55 PM, Mr. Paul M. Whitney <paul.whitney@xxxxxx>wrote:
> 
>> Hello everyone, I am having an issue with SELinux and Likewise Open.  I
>> have managed to "successfully" install the product by setting SELinux to
>> permissive mode and have successfully  joined it to a domain.  I have also
>> used my AD credentials successfully.
>> 
>> After rebooting and SELinux in enforced mode, I am getting the below
>> SELinux AVC denial.  I "think" it may be because the .lsassd file is labeled
>> with a generic "var_lib_t" and perhaps it needs to be something like
>> "likewise_var_lib_t".  I don't know and this is probably demonstrating my
>> ignorance with SELinux.  I am running into dead ends or unrelated info on
>> Google, Red KB, and several people's blogs.
>> 
>> Can someone please tell me how to overcome this denial with SELinux in
>> enforce mode?
>> 
>> 
>> Summary:
>> 
>> SELinux is preventing dbus-daemon (system_dbusd_t) "write" to .lsassd
>> (var_lib_t).
>> 
>> Detailed Description:
>> 
>> SELinux is preventing dbus-daemon (system_dbusd_t) "write" to .lsassd
>> (var_lib_t). The SELinux type var_lib_t, is a generic type for all files in
>> the
>> directory and very few processes (SELinux Domains) are allowed to write to
>> this
>> SELinux type. This type of denial usual indicates a mislabeled file. By
>> default
>> a file created in a directory has the gets the context of the parent
>> directory,
>> but SELinux policy has rules about the creation of directories, that say if
>> a
>> process running in one SELinux Domain (D1) creates a file in a directory
>> with a
>> particular SELinux File Context (F1) the file gets a different File Context
>> (F2). The policy usually allows the SELinux Domain (D1) the ability to
>> write,
>> unlink, and append on (F2). But if for some reason a file (.lsassd) was
>> created
>> with the wrong context, this domain will be denied. The usual solution to
>> this
>> problem is to reset the file context on the target file, restorecon -v
>> '.lsassd'. If the file context does not change from var_lib_t, then this is
>> probably a bug in policy. Please file a bug report
>> (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against the
>> selinux-policy
>> package. If it does change, you can try your application again to see if it
>> works. The file context could have been mislabeled by editing the file or
>> moving
>> the file from a different directory, if the file keeps getting mislabeled,
>> check
>> the init scripts to see if they are doing something to mislabel the file.
>> 
>> Allowing Access:
>> 
>> You can attempt to fix file context by executing restorecon -v '.lsassd'
>> 
>> The following command will allow this access:
>> 
>> restorecon '.lsassd'
>> 
>> Additional Information:
>> 
>> Source Context                system_u:system_r:system_dbusd_t
>> Target Context                system_u:object_r:var_lib_t
>> Target Objects                .lsassd [ sock_file ]
>> Source                        dbus-daemon
>> Source Path                   /bin/dbus-daemon
>> Port                          <Unknown>
>> Host                          delta.whitney.net
>> Source RPM Packages           dbus-1.1.2-14.el5
>> Target RPM Packages
>> Policy RPM                    selinux-policy-2.4.6-279.el5_5.1
>> Selinux Enabled               True
>> Policy Type                   targeted
>> MLS Enabled                   True
>> Enforcing Mode                Enforcing
>> Plugin Name                   mislabeled_file
>> Host Name                     delta.whitney.net
>> Platform                      Linux delta.whitney.net 2.6.18-194.17.4.el5
>> #1 SMP
>>                             Wed Oct 20 13:03:08 EDT 2010 x86_64 x86_64
>> Alert Count                   80
>> First Seen                    Mon 27 Dec 2010 11:03:37 AM EST
>> Last Seen                     Mon 27 Dec 2010 11:42:13 AM EST
>> Local ID                      f27ca755-0327-42a6-8755-e772887cecd7
>> Line Numbers
>> 
>> Raw Audit Messages
>> 
>> host=delta.whitney.net type=AVC msg=audit(1293468133.661:172): avc:
>> denied  { write } for  pid=3827 comm="dbus-daemon" name=".lsassd" dev=dm-4
>> ino=295012 scontext=system_u:system_r:system_dbusd_t:s0
>> tcontext=system_u:object_r:var_lib_t:s0 tclass=sock_file
>> 
>> host=delta.whitney.net type=SYSCALL msg=audit(1293468133.661:172):
>> arch=c000003e syscall=42 success=no exit=-13 a0=15 a1=7ffffab98d20 a2=6e
>> a3=0 items=1 ppid=1 pid=3827 auid=4294967295 uid=81 gid=81 euid=81 suid=81
>> fsuid=81 egid=81 sgid=81 fsgid=81 tty=(none) ses=4294967295
>> comm="dbus-daemon" exe="/bin/dbus-daemon"
>> subj=system_u:system_r:system_dbusd_t:s0 key=(null)
>> 
>> host=delta.whitney.net type=PATH msg=audit(1293468133.661:172): item=0
>> name=(null) inode=295012 dev=fd:04 mode=0140666 ouid=0 ogid=0 rdev=00:00
>> obj=system_u:object_r:var_lib_t:s0
>> 
>> 
>> 
>> 
>> --
>> redhat-list mailing list
>> unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
>> https://www.redhat.com/mailman/listinfo/redhat-list
>> 
> -- 
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list

-- 
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list


[Index of Archives]     [CentOS]     [Kernel Development]     [PAM]     [Fedora Users]     [Red Hat Development]     [Big List of Linux Books]     [Linux Admin]     [Gimp]     [Asterisk PBX]     [Yosemite News]     [Red Hat Crash Utility]


  Powered by Linux