Hi Dominick.
1. We do not have the seinfo utility available in our box so could not run it
2. The AVC denial is type=AVC msg=audit(1369081665.408:8113): avc: denied { create } for pid=18379 comm="usermod" name="passwd+" scontext=specialuser_u:system_r:pwrecoveryd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file
3. audit2why shows this type=AVC msg=audit(1369081665.408:8113): avc: denied { create } for pid=18379 comm="usermod" name="passwd+" scontext=specialuser_u:system_r:pwrecoveryd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file Was caused by: Constraint violation. Check policy/constraints. Typically, you just need to add a type attribute to the domain to satisfy the constraint.
Thanks, Anamitra
On 5/20/13 12:30 PM, "Dominick Grift" dominick.grift@gmail.com wrote:
On Mon, 2013-05-20 at 19:25 +0000, Anamitra Dutta Majumdar (anmajumd) wrote:
We are seeing this on a RHEL5 based release of our product.
The particular rule that is causing the issue is this .
allow pwrecoveryd_t etc_t:file create;
Kind of hard to speculate. Can you provide more info like for example:
- output of : seinfo -xtpwrecoveryd_t
- the actual avc denial
- what does audit2why say if you feed it that avc denial?
pwrecoveryd is a custom type and all the necessary policies have been loaded. However when we specifically add the above allow rule and load the policies on the target box. We keep on getting this exact same denial. This is the only denial that shows up
Any pointers to the issue would be greatly appreciated.
Thanks, Anamitra
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux