On Feb 3, 2012, at 4:43 AM, Dominick Grift wrote:
On Fri, 2012-02-03 at 10:02 +0100, Dominick Grift wrote:
policy_module(mylikewise, 1.0.0)
optional_policy(` gen_require(` attribute likewise_domains; type lwiod_t, netlogond_t, netlogond_var_socket_t, likewise_var_lib_t; type lsassd_t, lwsmd_t, netlogond_var_lib_t, likewise_krb5_ad_t, eventlogd_t; ')
stream_connect_pattern(lwiod_t, likewise_var_lib_t, netlogond_var_socket_t, netlogond_t)
kernel_read_system_state(likewise_domains) domain_dontaudit_search_all_domains_state(lsassd_t)
allow lwsmd_t likewise_var_lib_t:file write_file_perms; allow lwsmd_t { netlogond_var_lib_t likewise_krb5_ad_t }:file read_file_perms;
allow eventlogd_t likewise_var_lib_t:file rw_file_perms;
allow lwsmd_t self:process setpgid; allow lwiod_t self:process setrlimit; allow lwiod_t self:capability sys_resource; ')
..
To build it:
make -f /usr/share/selinux/devel/Makefile mylikewise.pp
to install it:
sudo semodule -i mylikewise.pp
Actually, i think i figured out why /var/lib/likewise/db/lwi_events.db and /var/lib/likewise/.lwsmd-lock might have been mislabeled.
The "lwi_events.db" has chars that need to be escaped. (either the dot or underscore or both)
The .lwsmd-lock has not file context specification at all currently
Please try the following (watch the line breaks though this e-mail client messes up the lay out):
mylikewise.te:
policy_module(mylikewise, 1.0.0)
optional_policy(` gen_require(` attribute likewise_domains; type lwiod_t, netlogond_t, netlogond_var_socket_t, likewise_var_lib_t; type lsassd_t, lwsmd_t, netlogond_var_lib_t, likewise_krb5_ad_t; ')
stream_connect_pattern(lwiod_t, likewise_var_lib_t, netlogond_var_socket_t, netlogond_t)
kernel_read_system_state(likewise_domains) domain_dontaudit_search_all_domains_state(lsassd_t) allow lwsmd_t { netlogond_var_lib_t likewise_krb5_ad_t }:file read_file_perms;
allow lwsmd_t self:process setpgid; allow lwiod_t self:process setrlimit; allow lwiod_t self:capability sys_resource; ')
mylikewise.fc:
/var/lib/likewise/db/lwi_events.db -- gen_context(system_u:object_r:eventlogd_var_lib_t,s0)
/var/lib/likewise/.lwsmd-lock -- gen_context(system_u:object_r:lwsmd_var_lib_t,s0)
to build:
make -f /usr/share/selinux/devel/Makefile mylikewise.pp
to install
sudo semodule -i mylikewise.pp
restore contexts
restorecon -R -v /var/lib/likewise
See if the two paths above have the right type:
ls -alZ /var/lib/likewise/.lwsmd-lock ls -alZ /var/lib/likewise/db/lwi_events.db
(also see if , when you remove them, they get created with the right type)
If this is fixed then please test the app again. This change may introduce some new AVC denials.
I installed the mylikewise policy. those two files do have the right type now. After I remove them they do get created with the right type.
After installing the new policy there were some additional AVCs. Here they are:
type=AVC msg=audit(1328288896.867:124): avc: denied { name_connect } for pid=1803 comm="eventlogd" dest=135 scontext=system_u:system_r:eventlogd_t:s0 tcontext=system_u:object_r:epmap_port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1328288705.888:70): avc: denied { unlink } for pid=1803 comm="eventlogd" name=".eventlog" dev=dm-0 ino=392489 scontext=system_u:system_r:eventlogd_t:s0 tcontext=system_u:object_r:likewise_var_lib_t:s0 tclass=sock_file
type=AVC msg=audit(1328288542.603:69): avc: denied { write } for pid=1162 comm="lsassd" name=".eventlog" dev=dm-0 ino=392489 scontext=system_u:system_r:lsassd_t:s0 tcontext=system_u:object_r:likewise_var_lib_t:s0 tclass=sock_file
type=AVC msg=audit(1328288896.867:124): avc: denied { name_connect } for pid=1803 comm="eventlogd" dest=135 scontext=system_u:system_r:eventlogd_t:s0 tcontext=system_u:object_r:epmap_port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1328288542.586:68): avc: denied { getattr } for pid=1161 comm="lsassd" path = 2F7661722F6C69622F6C696B65776973652F6B72623563635F6C736173732E55532E41442E47414E4E4554542E434F4D202864656C6574656429 dev=dm-0 ino=394337 scontext=system_u:system_r:lsassd_t:s0 tcontext=system_u:object_r:likewise_var_lib_t:s0 tclass=file
type=AVC msg=audit(1328288542.585:66): avc: denied { read write open } for pid=1161 comm="lsassd" name="krb5cc_lsass.AD.DOMAIN" dev=dm-0 ino=394337 scontext=system_u:system_r:lsassd_t:s0 tcontext=system_u:object_r:likewise_var_lib_t:s0 tclass=file
type=AVC msg=audit(1328288542.586:67): avc: denied { unlink } for pid=1161 comm="lsassd" name="krb5cc_lsass.AD.DOMAIN" dev=dm-0 ino=394337 scontext=system_u:system_r:lsassd_t:s0 tcontext=system_u:object_r:likewise_var_lib_t:s0 tclass=file
type=AVC msg=audit(1328287031.471:5): avc: denied { read } for pid=1165 comm="lsassd" name="lsass-adcache.filedb.AD.DOMAIN" dev=dm-0 ino=395406 scontext=system_u:system_r:lsassd_t:s0 tcontext=system_u:object_r:likewise_var_lib_t:s0 tclass=file
type=AVC msg=audit(1328287031.471:5): avc: denied { open } for pid=1165 comm="lsassd" name="lsass-adcache.filedbAD.DOMAIN" dev=dm-0 ino=395406 scontext=system_u:system_r:lsassd_t:s0 tcontext=system_u:object_r:likewise_var_lib_t:s0 tclass=file
type=AVC msg=audit(1328288893.067:123): avc: denied { unlink } for pid=1849 comm="lsassd" name="lsass-adcache.filedb.AD.DOMAIN" dev=dm-0 ino=395406 scontext=system_u:system_r:lsassd_t:s0 tcontext=system_u:object_r:likewise_var_lib_t:s0 tclass=file
Thank you, Maria