On Fri, 2012-02-03 at 21:59 +0100, Dominick Grift wrote:
On Fri, 2012-02-03 at 15:41 -0500, Maria Iano wrote:
I installed the mylikewise policy. those two files do have the right type now. After I remove them they do get created with the right type.
After installing the new policy there were some additional AVCs. Here they are:
type=AVC msg=audit(1328288896.867:124): avc: denied { name_connect } for pid=1803 comm="eventlogd" dest=135 scontext=system_u:system_r:eventlogd_t:s0 tcontext=system_u:object_r:epmap_port_t:s0 tclass=tcp_socket
add this to the mylikewise.te file:
corenet_tcp_connect_epmap_port(eventlogd_t)
then just: make -f /usr/share/selinux/devel/Makefile mylikewise.pp; sudo semodule -i mylikewise.pp
type=AVC msg=audit(1328288705.888:70): avc: denied { unlink } for pid=1803 comm="eventlogd" name=".eventlog" dev=dm-0 ino=392489 scontext=system_u:system_r:eventlogd_t:s0 tcontext=system_u:object_r:likewise_var_lib_t:s0 tclass=sock_file
type=AVC msg=audit(1328288542.603:69): avc: denied { write } for pid=1162 comm="lsassd" name=".eventlog" dev=dm-0 ino=392489 scontext=system_u:system_r:lsassd_t:s0 tcontext=system_u:object_r:likewise_var_lib_t:s0 tclass=sock_file
type=AVC msg=audit(1328288542.586:68): avc: denied { getattr } for pid=1161 comm="lsassd" path = 2F7661722F6C69622F6C696B65776973652F6B72623563635F6C736173732E55532E41442E47414E4E4554542E434F4D202864656C6574656429 dev=dm-0 ino=394337 scontext=system_u:system_r:lsassd_t:s0 tcontext=system_u:object_r:likewise_var_lib_t:s0 tclass=file
type=AVC msg=audit(1328288542.585:66): avc: denied { read write open } for pid=1161 comm="lsassd" name="krb5cc_lsass.AD.DOMAIN" dev=dm-0 ino=394337 scontext=system_u:system_r:lsassd_t:s0 tcontext=system_u:object_r:likewise_var_lib_t:s0 tclass=file
type=AVC msg=audit(1328288542.586:67): avc: denied { unlink } for pid=1161 comm="lsassd" name="krb5cc_lsass.AD.DOMAIN" dev=dm-0 ino=394337 scontext=system_u:system_r:lsassd_t:s0 tcontext=system_u:object_r:likewise_var_lib_t:s0 tclass=file
type=AVC msg=audit(1328287031.471:5): avc: denied { read } for pid=1165 comm="lsassd" name="lsass-adcache.filedb.AD.DOMAIN" dev=dm-0 ino=395406 scontext=system_u:system_r:lsassd_t:s0 tcontext=system_u:object_r:likewise_var_lib_t:s0 tclass=file
type=AVC msg=audit(1328287031.471:5): avc: denied { open } for pid=1165 comm="lsassd" name="lsass-adcache.filedbAD.DOMAIN" dev=dm-0 ino=395406 scontext=system_u:system_r:lsassd_t:s0 tcontext=system_u:object_r:likewise_var_lib_t:s0 tclass=file
type=AVC msg=audit(1328288893.067:123): avc: denied { unlink } for pid=1849 comm="lsassd" name="lsass-adcache.filedb.AD.DOMAIN" dev=dm-0 ino=395406 scontext=system_u:system_r:lsassd_t:s0 tcontext=system_u:object_r:likewise_var_lib_t:s0 tclass=file
All of these are somehow wrong. There should be no files or sock files with the generic likewise_var_lib_t. Only some directories.
I wonder how these got created and or labeled this way.
None of the confined likewise processes should be allowed to create these with this type.
The strange thing is that i also do not see any AVC denials of their actual creation.
This leads me to suspect that these are mislabeled left overs. Could i be right?
It is still a bug though because there are no file contexts specified for these files and so we should specify them.
It means we need the actual full paths of the files.
example;
.eventlog find /var/lib -inum 392489 find /var/lib -inum 394337 find /var/lib -inum 395406
it is important that all files have the proper file context specification so that if for some reason the file system needs to be relabeled the files will still have the proper type to avoid breakage like we witnessed above.
Thank you, Maria