running rawhide/strict,
I get the following about once or twice a day:
Nov 10 06:49:17 fedora kernel: audit(1100098157.523:0): avc: denied { search } for pid=27040 exe=/sbin/unix_chkpwd name=run dev=hda2 ino=4456484 scontext=user_u:user_r:user_chkpwd_t tcontext=system_u:object_r:var_run_t tclass=dir Nov 10 06:49:17 fedora kernel: audit(1100098157.523:0): avc: denied { search } for pid=27040 exe=/sbin/unix_chkpwd name=nscd dev=hda2 ino=4556982 scontext=user_u:user_r:user_chkpwd_t tcontext=system_u:object_r:nscd_var_run_t tclass=dir
Suggest the following:
--- SAVE/chkpwd_macros.te 2004-11-10 07:37:22.098409600 -0800 +++ ./chkpwd_macros.te 2004-11-10 07:38:32.387484758 -0800 @@ -67,6 +67,8 @@
# for nscd dontaudit $1_chkpwd_t var_t:dir search; +dontaudit $1_chkpwd_t var_run_t:dir search; +dontaudit $1_chkpwd_t nscd_var_run_t:dir search;
dontaudit $1_chkpwd_t fs_t:filesystem getattr; ')
tom
On Wed, 2004-11-10 at 10:40, Tom London wrote:
Suggest the following:
--- SAVE/chkpwd_macros.te 2004-11-10 07:37:22.098409600 -0800 +++ ./chkpwd_macros.te 2004-11-10 07:38:32.387484758 -0800 @@ -67,6 +67,8 @@
# for nscd dontaudit $1_chkpwd_t var_t:dir search; +dontaudit $1_chkpwd_t var_run_t:dir search; +dontaudit $1_chkpwd_t nscd_var_run_t:dir search;
dontaudit $1_chkpwd_t fs_t:filesystem getattr; ')
Hmmm...shouldn't $1_chkpwd_t by a nscd_client_domain? It seems legitimate for it to perform passwd lookups via nscd.
Tom London wrote:
running rawhide/strict,
I get the following about once or twice a day:
Nov 10 06:49:17 fedora kernel: audit(1100098157.523:0): avc: denied { search } for pid=27040 exe=/sbin/unix_chkpwd name=run dev=hda2 ino=4456484 scontext=user_u:user_r:user_chkpwd_t tcontext=system_u:object_r:var_run_t tclass=dir Nov 10 06:49:17 fedora kernel: audit(1100098157.523:0): avc: denied { search } for pid=27040 exe=/sbin/unix_chkpwd name=nscd dev=hda2 ino=4556982 scontext=user_u:user_r:user_chkpwd_t tcontext=system_u:object_r:nscd_var_run_t tclass=dir
Suggest the following:
--- SAVE/chkpwd_macros.te 2004-11-10 07:37:22.098409600 -0800 +++ ./chkpwd_macros.te 2004-11-10 07:38:32.387484758 -0800 @@ -67,6 +67,8 @@
# for nscd dontaudit $1_chkpwd_t var_t:dir search; +dontaudit $1_chkpwd_t var_run_t:dir search; +dontaudit $1_chkpwd_t nscd_var_run_t:dir search;
dontaudit $1_chkpwd_t fs_t:filesystem getattr; ')
tom
This should fix it.
diff -u chkpwd_macros.te~ chkpwd_macros.te --- chkpwd_macros.te~ 2004-11-09 14:08:33.000000000 -0500 +++ chkpwd_macros.te 2004-11-10 10:54:20.098525218 -0500 @@ -15,7 +15,7 @@ ifdef(`chkpwd.te', ` define(`chkpwd_domain',` # Derived domain based on the calling user domain and the program. -type $1_chkpwd_t, domain, privlog, auth; +type $1_chkpwd_t, domain, privlog, nscd_client_domain, auth;
# is_selinux_enabled allow $1_chkpwd_t proc_t:file read;
selinux@lists.fedoraproject.org
-
Daniel J Walsh -
Stephen Smalley -
Tom London