On Tue, 2009-08-18 at 08:19 -0400, Stephen Smalley wrote:
> If this is another manifestation of the same problem, then the easiest
> approach would be to grab the libselinux .src.rpm, patch
> libselinux/src/checkAccess.c to syslog() a message whenever there is a
> denial, build and install your patched libselinux, and then retry and
> look for the log message.
Something like this patch (un-tested, against the current upstream
libselinux):
diff --git a/libselinux/src/checkAccess.c b/libselinux/src/checkAccess.c
index c1982c7..cae1626 100644
--- a/libselinux/src/checkAccess.c
+++ b/libselinux/src/checkAccess.c
@@ -2,6 +2,7 @@
#include <sys/types.h>
#include <stdlib.h>
#include <errno.h>
+#include <syslog.h>
#include "selinux_internal.h"
#include <selinux/flask.h>
#include <selinux/av_permissions.h>
@@ -29,7 +30,15 @@ int selinux_check_passwd_access(access_vector_t requested)
if ((retval == 0) && ((requested & avd.allowed) == requested)) {
status = 0;
+ } else {
+ syslog(LOG_ERR,
+ "avc: denied { %s } for scontext=%s "
+ "tcontext=%s tclass=passwd\n",
+ security_av_perm_to_string(passwd_class,
+ requested),
+ user_context, user_context);
}
+
freecon(user_context);
}
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
