Hi Dominick,
We are already assigning the domain type attribute to pwrecoveryd_t and with that We are seeing this issue.
As for the seinfo utility we installed the latest rpm available from RHN for the RHEL5 Release train and this is the behavior we see.
Additionally the seinfo utility does not have the "--constrain" option whereas the seinfo In RHEL6 has this option which enables us to see all the constraints on the system.
Thanks, Anamitra
On 5/21/13 12:00 AM, "Dominick Grift" dominick.grift@gmail.com wrote:
On Mon, 2013-05-20 at 23:41 +0000, Anamitra Dutta Majumdar (anmajumd) wrote:
We managed to install setools and we see the following as the output of seinfo
[root@cap-715-pub ~]# seinfo -xtpwrecoveryd_t Rule loading disabled pwrecoveryd_t @ttr0191 @ttr1241 @ttr2387 @ttr2703
Yes this selinux installation seems very old. the attributes arent translated to human readable so i cant really read it.
did you try assigning the domain type attribute to the pwrecoveryd_t type?
You could enclose your source policy module , maybe that will enable me to determine which attribute you need.
Thanks, Anamitra
On 5/20/13 2:51 PM, "Dominick Grift" dominick.grift@gmail.com wrote:
On Mon, 2013-05-20 at 20:44 +0000, Anamitra Dutta Majumdar (anmajumd) wrote:
Hi Dominick.
- We do not have the seinfo utility available in our box so could
not
run it
Well then its hard for me to speculate as to which attribute you need
to
assign to your pwrecoveryd_t type
you might start with: domain_type(pwrecoveryd_t)
e.g. make it a domain type
- The AVC denial is
type=AVC msg=audit(1369081665.408:8113): avc: denied { create } for pid=18379 comm="usermod" name="passwd+" scontext=specialuser_u:system_r:pwrecoveryd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file
- audit2why shows this
type=AVC msg=audit(1369081665.408:8113): avc: denied { create } for pid=18379 comm="usermod" name="passwd+" scontext=specialuser_u:system_r:pwrecoveryd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file Was caused by: Constraint violation. Check policy/constraints. Typically, you just need to add a type attribute to
the
domain to satisfy the constraint.
So this tells you that its a policy constraint issue. A type
enforcement
rule wont help you here. You need to assign the proper type attributes to the pwrecoveryd_t type most likely
probably "domain" type attribute
Thanks, Anamitra
On 5/20/13 12:30 PM, "Dominick Grift" dominick.grift@gmail.com
wrote:
On Mon, 2013-05-20 at 19:25 +0000, Anamitra Dutta Majumdar
(anmajumd)
wrote:
We are seeing this on a RHEL5 based release of our product.
The particular rule that is causing the issue is this .
allow pwrecoveryd_t etc_t:file create;
Kind of hard to speculate. Can you provide more info like for
example:
- output of : seinfo -xtpwrecoveryd_t
- the actual avc denial
- what does audit2why say if you feed it that avc denial?
pwrecoveryd is a custom type and all the necessary policies have
been
loaded. However when we specifically add the above allow rule and load the policies on the target box. We keep on getting this exact same denial. This is the only denial
that
shows up
Any pointers to the issue would be greatly appreciated.
Thanks, Anamitra
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux