I have a RHEL 6.2 server running LikewiseOpen. It appears to me that I will take care of a large number of denials if I can change the type of /var/lib/likewise/.lsassd to be lsassd_var_socket_t.
I added the file context rule with semanage, and used restorecon to change it to lsassd_var_socket_t as desired. But later I found that / var/lib/likewise/.lsassd had type var_lib_t again. I assume that is because the likewise processes run as initrc_t.
I'd like to change the policy and tell it that services running in either initrc_t or unconfined_t domains should create the file /var/ lib/likewise/.lsassd with type lsassd_var_socket_t. (A command line tool lwsm for managing the processes runs in unconfined_t so I'd like to include that domain to be safe. ) How can I go about doing that in RHEL 6 (or can I)?
Thanks, Maria
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 01/31/2012 05:33 PM, Maria Iano wrote:
I have a RHEL 6.2 server running LikewiseOpen. It appears to me that I will take care of a large number of denials if I can change the type of /var/lib/likewise/.lsassd to be lsassd_var_socket_t.
I added the file context rule with semanage, and used restorecon to change it to lsassd_var_socket_t as desired. But later I found that /var/lib/likewise/.lsassd had type var_lib_t again. I assume that is because the likewise processes run as initrc_t.
I'd like to change the policy and tell it that services running in either initrc_t or unconfined_t domains should create the file /var/lib/likewise/.lsassd with type lsassd_var_socket_t. (A command line tool lwsm for managing the processes runs in unconfined_t so I'd like to include that domain to be safe. ) How can I go about doing that in RHEL 6 (or can I)?
Thanks, Maria -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
What label do you have on /var/lib/likewise?
On Feb 1, 2012, at 11:30 AM, Daniel J Walsh wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 01/31/2012 05:33 PM, Maria Iano wrote:
I have a RHEL 6.2 server running LikewiseOpen. It appears to me that I will take care of a large number of denials if I can change the type of /var/lib/likewise/.lsassd to be lsassd_var_socket_t.
I added the file context rule with semanage, and used restorecon to change it to lsassd_var_socket_t as desired. But later I found that /var/lib/likewise/.lsassd had type var_lib_t again. I assume that is because the likewise processes run as initrc_t.
I'd like to change the policy and tell it that services running in either initrc_t or unconfined_t domains should create the file /var/lib/likewise/.lsassd with type lsassd_var_socket_t. (A command line tool lwsm for managing the processes runs in unconfined_t so I'd like to include that domain to be safe. ) How can I go about doing that in RHEL 6 (or can I)?
Thanks, Maria -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
What label do you have on /var/lib/likewise?
system_u:object_r:var_lib_t:s0
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 02/01/2012 11:37 AM, Maria Iano wrote:
On Feb 1, 2012, at 11:30 AM, Daniel J Walsh wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 01/31/2012 05:33 PM, Maria Iano wrote:
I have a RHEL 6.2 server running LikewiseOpen. It appears to me that I will take care of a large number of denials if I can change the type of /var/lib/likewise/.lsassd to be lsassd_var_socket_t.
I added the file context rule with semanage, and used restorecon to change it to lsassd_var_socket_t as desired. But later I found that /var/lib/likewise/.lsassd had type var_lib_t again. I assume that is because the likewise processes run as initrc_t.
I'd like to change the policy and tell it that services running in either initrc_t or unconfined_t domains should create the file /var/lib/likewise/.lsassd with type lsassd_var_socket_t. (A command line tool lwsm for managing the processes runs in unconfined_t so I'd like to include that domain to be safe. ) How can I go about doing that in RHEL 6 (or can I)?
Thanks, Maria -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
What label do you have on /var/lib/likewise?
system_u:object_r:var_lib_t:s0
In that case why not just label it lsassd_var_lib_t
Currently the labeling is
/var/lib/likewise-open(/.*)? gen_context(system_u:object_r:likewise_var_lib_t,s0)
If you label it similar, then you have a step in the right direction.
I am not sure who wrote policy for the likewise domain, but I think I would eliminate all of the different labels. But I guess that is the way it is.
If unconfined_t is creating a socket in the directory then I guess it would be listening on the socket, but other domains would not be allowed to communicate.
One potential option if you got all of the labeling correct would be to use restorecond.
On Feb 1, 2012, at 11:50 AM, Daniel J Walsh wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 02/01/2012 11:37 AM, Maria Iano wrote:
On Feb 1, 2012, at 11:30 AM, Daniel J Walsh wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 01/31/2012 05:33 PM, Maria Iano wrote:
I have a RHEL 6.2 server running LikewiseOpen. It appears to me that I will take care of a large number of denials if I can change the type of /var/lib/likewise/.lsassd to be lsassd_var_socket_t.
I added the file context rule with semanage, and used restorecon to change it to lsassd_var_socket_t as desired. But later I found that /var/lib/likewise/.lsassd had type var_lib_t again. I assume that is because the likewise processes run as initrc_t.
I'd like to change the policy and tell it that services running in either initrc_t or unconfined_t domains should create the file /var/lib/likewise/.lsassd with type lsassd_var_socket_t. (A command line tool lwsm for managing the processes runs in unconfined_t so I'd like to include that domain to be safe. ) How can I go about doing that in RHEL 6 (or can I)?
Thanks, Maria -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
What label do you have on /var/lib/likewise?
system_u:object_r:var_lib_t:s0
In that case why not just label it lsassd_var_lib_t
Currently the labeling is
/var/lib/likewise-open(/.*)? gen_context(system_u:object_r:likewise_var_lib_t,s0)
If you label it similar, then you have a step in the right direction.
I am not sure who wrote policy for the likewise domain, but I think I would eliminate all of the different labels. But I guess that is the way it is.
If unconfined_t is creating a socket in the directory then I guess it would be listening on the socket, but other domains would not be allowed to communicate.
One potential option if you got all of the labeling correct would be to use restorecond.
I actually had somehow not noticed those file contexts for the likewise-open directories, thank you. I added all of the file contexts for likewise (which involved replacing likewise-open with likewise to match my system). I also turned on the restorecond service. When restorecond is not running the file /var/lib/likewise/.lsassd does get relabeled incorrectly but now that restorecond is running it's being fixed immediately. Thank you!
On Tue, 2012-01-31 at 17:33 -0500, Maria Iano wrote:
I have a RHEL 6.2 server running LikewiseOpen. It appears to me that I will take care of a large number of denials if I can change the type of /var/lib/likewise/.lsassd to be lsassd_var_socket_t.
I added the file context rule with semanage, and used restorecon to change it to lsassd_var_socket_t as desired. But later I found that / var/lib/likewise/.lsassd had type var_lib_t again. I assume that is because the likewise processes run as initrc_t.
Why are the likewise processes running in initrc_t?
Are the likewise executable files in their proper location:
/usr/sbin/dcerpcd -- gen_context(system_u:object_r:dcerpcd_exec_t,s0) /usr/sbin/eventlogd -- gen_context(system_u:object_r:eventlogd_exec_t,s0) /usr/sbin/lsassd -- gen_context(system_u:object_r:lsassd_exec_t,s0) /usr/sbin/lwiod -- gen_context(system_u:object_r:lwiod_exec_t,s0) /usr/sbin/lwregd -- gen_context(system_u:object_r:lwregd_exec_t,s0) /usr/sbin/lwsmd -- gen_context(system_u:object_r:lwsmd_exec_t,s0) /usr/sbin/netlogond -- gen_context(system_u:object_r:netlogond_exec_t,s0) /usr/sbin/srvsvcd -- gen_context(system_u:object_r:srvsvcd_exec_t,s0)
I'd like to change the policy and tell it that services running in either initrc_t or unconfined_t domains should create the file /var/ lib/likewise/.lsassd with type lsassd_var_socket_t. (A command line tool lwsm for managing the processes runs in unconfined_t so I'd like to include that domain to be safe. ) How can I go about doing that in RHEL 6 (or can I)?
That is not possible but if you label /var/lib/likewise:
semanage fcontext -a -t likewise_var_lib_t "/var/lib/likewise(/.*)?"
And configure restorecond to watch /var/lib/likewise then the file will be reset to the proper type when restorecond notices that its mislabeled.
The policy for likewise was written by the people of likewise. I helped with it a bit. I think we collaborated on the selinux maillist but i could not find the thread about it in short noticed. (i was looking for the e-mail address of the likewise policy author so that i can ask him to see if the policy is still up-to-date)
It may be that the policy is not maintained optimally.
Maybe you can help us revisit it?
Thanks, Maria -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
On Feb 1, 2012, at 1:32 PM, Dominick Grift wrote:
On Tue, 2012-01-31 at 17:33 -0500, Maria Iano wrote:
I have a RHEL 6.2 server running LikewiseOpen. It appears to me that I will take care of a large number of denials if I can change the type of /var/lib/likewise/.lsassd to be lsassd_var_socket_t.
I added the file context rule with semanage, and used restorecon to change it to lsassd_var_socket_t as desired. But later I found that / var/lib/likewise/.lsassd had type var_lib_t again. I assume that is because the likewise processes run as initrc_t.
Why are the likewise processes running in initrc_t?
Are the likewise executable files in their proper location:
/usr/sbin/dcerpcd -- gen_context(system_u:object_r:dcerpcd_exec_t,s0) /usr/sbin/eventlogd -- gen_context(system_u:object_r:eventlogd_exec_t,s0) /usr/sbin/lsassd -- gen_context(system_u:object_r:lsassd_exec_t,s0) /usr/sbin/lwiod -- gen_context(system_u:object_r:lwiod_exec_t,s0) /usr/sbin/lwregd -- gen_context(system_u:object_r:lwregd_exec_t,s0) /usr/sbin/lwsmd -- gen_context(system_u:object_r:lwsmd_exec_t,s0) /usr/sbin/netlogond -- gen_context(system_u:object_r:netlogond_exec_t,s0) /usr/sbin/srvsvcd -- gen_context(system_u:object_r:srvsvcd_exec_t,s0)
I'd like to change the policy and tell it that services running in either initrc_t or unconfined_t domains should create the file /var/ lib/likewise/.lsassd with type lsassd_var_socket_t. (A command line tool lwsm for managing the processes runs in unconfined_t so I'd like to include that domain to be safe. ) How can I go about doing that in RHEL 6 (or can I)?
That is not possible but if you label /var/lib/likewise:
semanage fcontext -a -t likewise_var_lib_t "/var/lib/likewise(/.*)?"
And configure restorecond to watch /var/lib/likewise then the file will be reset to the proper type when restorecond notices that its mislabeled.
The policy for likewise was written by the people of likewise. I helped with it a bit. I think we collaborated on the selinux maillist but i could not find the thread about it in short noticed. (i was looking for the e-mail address of the likewise policy author so that i can ask him to see if the policy is still up-to-date)
It may be that the policy is not maintained optimally.
Maybe you can help us revisit it?
Those files are all under /opt/likewise/sbin on this system (although there is no srvsvcd): /opt/likewise/sbin/dcerpcd /opt/likewise/sbin/eventlogd /opt/likewise/sbin/lsassd /opt/likewise/sbin/lwiod /opt/likewise/sbin/lwregd /opt/likewise/sbin/lwsmd /opt/likewise/sbin/netlogond
Also the directories corresponding to /etc/likewise-open and /var/lib/ likewise-open are actually /etc/likewise and /var/lib/likewise on my system.
My system is RHEL 6.2 and I installed LikewiseOpen by downloading LikewiseOpen-6.1.0.8729-linux-x86_64-rpm.sh, making it executable, and typing: ./LikewiseOpen-6.1.0.8729-linux-x86_64-rpm.sh install
So I think it is installed with all the defaults.
I would be very happy to help. I would really like for selinux and likewise to coexist comfortably.
Thanks! Maria
On Wed, 2012-02-01 at 15:05 -0500, Maria Iano wrote:
On Feb 1, 2012, at 1:32 PM, Dominick Grift wrote:
On Tue, 2012-01-31 at 17:33 -0500, Maria Iano wrote:
I have a RHEL 6.2 server running LikewiseOpen. It appears to me that I will take care of a large number of denials if I can change the type of /var/lib/likewise/.lsassd to be lsassd_var_socket_t.
I added the file context rule with semanage, and used restorecon to change it to lsassd_var_socket_t as desired. But later I found that / var/lib/likewise/.lsassd had type var_lib_t again. I assume that is because the likewise processes run as initrc_t.
Why are the likewise processes running in initrc_t?
Are the likewise executable files in their proper location:
/usr/sbin/dcerpcd -- gen_context(system_u:object_r:dcerpcd_exec_t,s0) /usr/sbin/eventlogd -- gen_context(system_u:object_r:eventlogd_exec_t,s0) /usr/sbin/lsassd -- gen_context(system_u:object_r:lsassd_exec_t,s0) /usr/sbin/lwiod -- gen_context(system_u:object_r:lwiod_exec_t,s0) /usr/sbin/lwregd -- gen_context(system_u:object_r:lwregd_exec_t,s0) /usr/sbin/lwsmd -- gen_context(system_u:object_r:lwsmd_exec_t,s0) /usr/sbin/netlogond -- gen_context(system_u:object_r:netlogond_exec_t,s0) /usr/sbin/srvsvcd -- gen_context(system_u:object_r:srvsvcd_exec_t,s0)
I'd like to change the policy and tell it that services running in either initrc_t or unconfined_t domains should create the file /var/ lib/likewise/.lsassd with type lsassd_var_socket_t. (A command line tool lwsm for managing the processes runs in unconfined_t so I'd like to include that domain to be safe. ) How can I go about doing that in RHEL 6 (or can I)?
That is not possible but if you label /var/lib/likewise:
semanage fcontext -a -t likewise_var_lib_t "/var/lib/likewise(/.*)?"
And configure restorecond to watch /var/lib/likewise then the file will be reset to the proper type when restorecond notices that its mislabeled.
The policy for likewise was written by the people of likewise. I helped with it a bit. I think we collaborated on the selinux maillist but i could not find the thread about it in short noticed. (i was looking for the e-mail address of the likewise policy author so that i can ask him to see if the policy is still up-to-date)
It may be that the policy is not maintained optimally.
Maybe you can help us revisit it?
Those files are all under /opt/likewise/sbin on this system (although there is no srvsvcd): /opt/likewise/sbin/dcerpcd /opt/likewise/sbin/eventlogd /opt/likewise/sbin/lsassd /opt/likewise/sbin/lwiod /opt/likewise/sbin/lwregd /opt/likewise/sbin/lwsmd /opt/likewise/sbin/netlogond
Also the directories corresponding to /etc/likewise-open and /var/lib/ likewise-open are actually /etc/likewise and /var/lib/likewise on my system.
My system is RHEL 6.2 and I installed LikewiseOpen by downloading LikewiseOpen-6.1.0.8729-linux-x86_64-rpm.sh, making it executable, and typing: ./LikewiseOpen-6.1.0.8729-linux-x86_64-rpm.sh install
So I think it is installed with all the defaults.
I would be very happy to help. I would really like for selinux and likewise to coexist comfortably.
Why that's great
Here is a list with all file contexts for likewise files:
http://git.fedorahosted.org/git/?p=selinux-policy.git;a=blob;f=policy/module...
Basically what i would do if i were you is add file context specifications using "semanage fcontext" or a custom .fc file of all the entries in there matching files on your system:
example:
/usr/sbin/lsassd -- gen_context(system_u:object_r:lsassd_exec_t,s0)
would be:
semanage fcontext -a -t lsassd_exec_t -f -- "/opt/likewise/sbin/lsassd"
and:
/var/lib/likewise-open/.lsassd -s gen_context(system_u:object_r:lsassd_var_socket_t,s0)
would be:
semanage fcontext -a -t lsassd_var_socket_t -f -s "/var/lib/likewise-open/.lsassd"
When all is added you can use matchpathcon to verify whether the type matches what youve specified. Example:
matchpathcon /opt/likewise/sbin/lsassd
and if that is verified to be correct actually apply the contexts by running for example:
restorecon -R -v /opt/likewise/sbin/lsassd
Then you should try it out, collect any AVC denials that you are seeing and enclose those so that we can analyze them and fix bugs where possible.
If you have any questions or comments do not hesitate to ask.
I am looking forward to your reply.
Thanks! Maria
On Feb 1, 2012, at 4:53 PM, Dominick Grift wrote:
On Wed, 2012-02-01 at 15:05 -0500, Maria Iano wrote:
On Feb 1, 2012, at 1:32 PM, Dominick Grift wrote:
On Tue, 2012-01-31 at 17:33 -0500, Maria Iano wrote:
I have a RHEL 6.2 server running LikewiseOpen. It appears to me that I will take care of a large number of denials if I can change the type of /var/lib/likewise/.lsassd to be lsassd_var_socket_t.
I added the file context rule with semanage, and used restorecon to change it to lsassd_var_socket_t as desired. But later I found that / var/lib/likewise/.lsassd had type var_lib_t again. I assume that is because the likewise processes run as initrc_t.
Why are the likewise processes running in initrc_t?
Are the likewise executable files in their proper location:
/usr/sbin/dcerpcd -- gen_context(system_u:object_r:dcerpcd_exec_t,s0) /usr/sbin/eventlogd -- gen_context(system_u:object_r:eventlogd_exec_t,s0) /usr/sbin/lsassd -- gen_context(system_u:object_r:lsassd_exec_t,s0) /usr/sbin/lwiod -- gen_context(system_u:object_r:lwiod_exec_t,s0) /usr/sbin/lwregd -- gen_context(system_u:object_r:lwregd_exec_t,s0) /usr/sbin/lwsmd -- gen_context(system_u:object_r:lwsmd_exec_t,s0) /usr/sbin/netlogond -- gen_context(system_u:object_r:netlogond_exec_t,s0) /usr/sbin/srvsvcd -- gen_context(system_u:object_r:srvsvcd_exec_t,s0)
I'd like to change the policy and tell it that services running in either initrc_t or unconfined_t domains should create the file / var/ lib/likewise/.lsassd with type lsassd_var_socket_t. (A command line tool lwsm for managing the processes runs in unconfined_t so I'd like to include that domain to be safe. ) How can I go about doing that in RHEL 6 (or can I)?
That is not possible but if you label /var/lib/likewise:
semanage fcontext -a -t likewise_var_lib_t "/var/lib/likewise(/.*)?"
And configure restorecond to watch /var/lib/likewise then the file will be reset to the proper type when restorecond notices that its mislabeled.
The policy for likewise was written by the people of likewise. I helped with it a bit. I think we collaborated on the selinux maillist but i could not find the thread about it in short noticed. (i was looking for the e-mail address of the likewise policy author so that i can ask him to see if the policy is still up-to-date)
It may be that the policy is not maintained optimally.
Maybe you can help us revisit it?
Those files are all under /opt/likewise/sbin on this system (although there is no srvsvcd): /opt/likewise/sbin/dcerpcd /opt/likewise/sbin/eventlogd /opt/likewise/sbin/lsassd /opt/likewise/sbin/lwiod /opt/likewise/sbin/lwregd /opt/likewise/sbin/lwsmd /opt/likewise/sbin/netlogond
Also the directories corresponding to /etc/likewise-open and /var/ lib/ likewise-open are actually /etc/likewise and /var/lib/likewise on my system.
My system is RHEL 6.2 and I installed LikewiseOpen by downloading LikewiseOpen-6.1.0.8729-linux-x86_64-rpm.sh, making it executable, and typing: ./LikewiseOpen-6.1.0.8729-linux-x86_64-rpm.sh install
So I think it is installed with all the defaults.
I would be very happy to help. I would really like for selinux and likewise to coexist comfortably.
Why that's great
Here is a list with all file contexts for likewise files:
http://git.fedorahosted.org/git/?p=selinux-policy.git;a=blob;f=policy/module...
Basically what i would do if i were you is add file context specifications using "semanage fcontext" or a custom .fc file of all the entries in there matching files on your system:
example:
/usr/sbin/lsassd -- gen_context(system_u:object_r:lsassd_exec_t,s0)
would be:
semanage fcontext -a -t lsassd_exec_t -f -- "/opt/likewise/sbin/ lsassd"
and:
/var/lib/likewise-open/.lsassd -s gen_context(system_u:object_r:lsassd_var_socket_t,s0)
would be:
semanage fcontext -a -t lsassd_var_socket_t -f -s "/var/lib/likewise-open/.lsassd"
When all is added you can use matchpathcon to verify whether the type matches what youve specified. Example:
matchpathcon /opt/likewise/sbin/lsassd
and if that is verified to be correct actually apply the contexts by running for example:
restorecon -R -v /opt/likewise/sbin/lsassd
Then you should try it out, collect any AVC denials that you are seeing and enclose those so that we can analyze them and fix bugs where possible.
If you have any questions or comments do not hesitate to ask.
I am looking forward to your reply.
On a CentOS 6.2 system which had never had likewise installed, I ran the corresponding semanage commands to these file contexts:
/etc/likewise(/.*)? gen_context(system_u:object_r:likewise_etc_t,s0) /etc/likewise/.pstore.lock -- gen_context(system_u:object_r:likewise_pstore_lock_t,s0) /etc/likewise/likewise-krb5-ad.conf -- gen_context(system_u:object_r:likewise_krb5_ad_t,s0)
/etc/rc.d/init.d/likewise -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0) /etc/rc.d/init.d/lwsmd -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0) /etc/rc.d/init.d/netlogond -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0)
/opt/likewise/sbin/dcerpcd -- gen_context(system_u:object_r:dcerpcd_exec_t,s0) /opt/likewise/sbin/eventlogd -- gen_context(system_u:object_r:eventlogd_exec_t,s0) /opt/likewise/sbin/lsassd -- gen_context(system_u:object_r:lsassd_exec_t,s0) /opt/likewise/sbin/lwiod -- gen_context(system_u:object_r:lwiod_exec_t,s0) /opt/likewise/sbin/lwregd -- gen_context(system_u:object_r:lwregd_exec_t,s0) /opt/likewise/sbin/lwsmd -- gen_context(system_u:object_r:lwsmd_exec_t,s0) /opt/likewise/sbin/netlogond -- gen_context(system_u:object_r:netlogond_exec_t,s0)
/var/lib/likewise(/.*)? gen_context(system_u:object_r:likewise_var_lib_t,s0) /var/lib/likewise/.lsassd -s gen_context(system_u:object_r:lsassd_var_socket_t,s0) /var/lib/likewise/.lwiod -s gen_context(system_u:object_r:lwiod_var_socket_t,s0) /var/lib/likewise/.regsd -s gen_context(system_u:object_r:lwregd_var_socket_t,s0) /var/lib/likewise/.lwsm -s gen_context(system_u:object_r:lwsmd_var_socket_t,s0) /var/lib/likewise/.netlogond -s gen_context(system_u:object_r:netlogond_var_socket_t,s0) /var/lib/likewise/.ntlmd -s gen_context(system_u:object_r:lsassd_var_socket_t,s0) /var/lib/likewise/krb5-affinity.conf -- gen_context(system_u:object_r:netlogond_var_lib_t, s0) /var/lib/likewise/krb5ccr_lsass -- gen_context(system_u:object_r:lsassd_var_lib_t, s0) /var/lib/likewise/LWNetsd.err -- gen_context(system_u:object_r:netlogond_var_lib_t,s0) /var/lib/likewise/lsasd.err -- gen_context(system_u:object_r:lsassd_var_lib_t,s0) /var/lib/likewise/regsd.err -- gen_context(system_u:object_r:lwregd_var_lib_t,s0) /var/lib/likewise/db -d gen_context(system_u:object_r:likewise_var_lib_t,s0) /var/lib/likewise/db/lwi_events.db -- gen_context(system_u:object_r:eventlogd_var_lib_t,s0) /var/lib/likewise/db/sam.db -- gen_context(system_u:object_r:lsassd_var_lib_t,s0) /var/lib/likewise/db/lsass-adcache.db -- gen_context(system_u:object_r:lsassd_var_lib_t,s0) /var/lib/likewise/db/lsass-adstate.filedb -- gen_context(system_u:object_r:lsassd_var_lib_t,s0) /var/lib/likewise/db/registry.db -- gen_context(system_u:object_r:lwregd_var_lib_t,s0) /var/lib/likewise/rpc -d gen_context(system_u:object_r:likewise_var_lib_t,s0) /var/lib/likewise/rpc/epmapper -s gen_context(system_u:object_r:dcerpcd_var_socket_t, s0) /var/lib/likewise/rpc/lsass -s gen_context(system_u:object_r:lsassd_var_socket_t, s0) /var/lib/likewise/rpc/socket -s gen_context(system_u:object_r:eventlogd_var_socket_t, s0) /var/lib/likewise/run -d gen_context(system_u:object_r:likewise_var_lib_t,s0) /var/lib/likewise/run/rpcdep.dat -- gen_context(system_u:object_r:dcerpcd_var_lib_t, s0)
I then installed LikewiseOpen with LikewiseOpen-6.1.0.8729-linux- x86_64-rpm.sh. I joined the computer to the AD domain and rebooted.
The first two denials were due to incorrect labeling of /var/lib/ likewise/db/registry.db and /var/lib/likewise/db/sam.db. Both were labeled as unconfined_u:object_r:likewise_var_lib_t:s0. They should be unconfined_u:object_r:lwregd_var_lib_t:s0 and unconfined_u:object_r:lsassd_var_lib_t:s0 respectively. I ran restorecon on both and have not had any of those type of denials since. So far they have retained their correct context through a reboot, so perhaps it's just something that doesn't work correctly during the installation.
I've attached the remaining AVCs to this message, but since I'm not sure the mailing list will allow that through I'll also paste them in below. I removed duplicates. Also there were a large number of entries where lsassd tried to getattr for many different /proc/xxxx but I only included one. It didn't just try to do that for likewise processes, but every process running at the time (or maybe almost every). I can forward all of those as well if you'd like.
Here is the list:
type=AVC msg=audit(1328198424.686:20): avc: denied { write } for pid=1165 comm="lwiod" name=".netlogond" dev=dm-0 ino=393091 scontext=system_u:system_r:lwiod_t:s0 tcontext=system_u:object_r:netlogond_var_socket_t:s0 tclass=sock_file type=AVC msg=audit(1328198424.686:20): avc: denied { connectto } for pid=1165 comm="lwiod" path="/var/lib/likewise/.netlogond" scontext=system_u:system_r:lwiod_t:s0 tcontext=system_u:system_r:netlogond_t:s0 tclass=unix_stream_socket type=SYSCALL msg=audit(1328198424.686:20): arch=c000003e syscall=42 success=yes exit=0 a0=a a1=7fdbec624450 a2=6e a3=10 items=0 ppid=1108 pid=1165 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="lwiod" exe="/opt/ likewise/sbin/lwiod" subj=system_u:system_r:lwiod_t:s0 key=(null)
type=AVC msg=audit(1328203534.556:16): avc: denied { getattr } for pid=1141 comm="lwsmd" path="/etc/likewise/likewise-krb5-ad.conf" dev=dm-0 ino=786321 scontext=system_u:system_r:lwsmd_t:s0 tcontext=system_u:object_r:likewise_krb5_ad_t:s0 tclass=file type=SYSCALL msg=audit(1328203534.556:16): arch=c000003e syscall=4 success=yes exit=0 a0=7f5e28001488 a1=7f5e33ffc8d0 a2=7f5e33ffc8d0 a3=0 items=0 ppid=1 pid=1141 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="lwsmd" exe="/opt/likewise/sbin/lwsmd" subj=system_u:system_r:lwsmd_t:s0 key=(null)
type=AVC msg=audit(1328203534.536:14): avc: denied { getattr } for pid=1141 comm="lwsmd" path="/var/lib/likewise/krb5-affinity.conf" dev=dm-0 ino=395410 scontext=system_u:system_r:lwsmd_t:s0 tcontext=system_u:object_r:netlogond_var_lib_t:s0 tclass=file type=SYSCALL msg=audit(1328203534.536:14): arch=c000003e syscall=4 success=yes exit=0 a0=7f5e28001368 a1=7f5e33ffc8d0 a2=7f5e33ffc8d0 a3=7f5e33ffc650 items=0 ppid=1 pid=1141 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="lwsmd" exe="/opt/likewise/sbin/lwsmd" subj=system_u:system_r:lwsmd_t:s0 key=(null)
type=AVC msg=audit(1328198424.023:16): avc: denied { getattr } for pid=1142 comm="lwsmd" path="/etc/likewise/likewise-krb5-ad.conf" dev=dm-0 ino=786321 scontext=system_u:system_r:lwsmd_t:s0 tcontext=system_u:object_r:likewise_krb5_ad_t:s0 tclass=file type=SYSCALL msg=audit(1328198424.023:16): arch=c000003e syscall=4 success=yes exit=0 a0=7f4894001488 a1=7f48ad2548d0 a2=7f48ad2548d0 a3=0 items=0 ppid=1 pid=1142 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="lwsmd" exe="/opt/likewise/sbin/lwsmd" subj=system_u:system_r:lwsmd_t:s0 key=(null)
type=AVC msg=audit(1328198423.995:14): avc: denied { getattr } for pid=1142 comm="lwsmd" path="/var/lib/likewise/krb5-affinity.conf" dev=dm-0 ino=395406 scontext=system_u:system_r:lwsmd_t:s0 tcontext=system_u:object_r:netlogond_var_lib_t:s0 tclass=file type=SYSCALL msg=audit(1328198423.995:14): arch=c000003e syscall=4 success=yes exit=0 a0=7f4894001368 a1=7f48ad2548d0 a2=7f48ad2548d0 a3=7f48ad254650 items=0 ppid=1 pid=1142 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="lwsmd" exe="/opt/likewise/sbin/lwsmd" subj=system_u:system_r:lwsmd_t:s0 key=(null)
type=AVC msg=audit(1328203534.221:9): avc: denied { getattr } for pid=1143 comm="eventlogd" path="/var/lib/likewise/db/lwi_events.db" dev=dm-0 ino=395386 scontext=system_u:system_r:eventlogd_t:s0 tcontext=unconfined_u:object_r:likewise_var_lib_t:s0 tclass=file type=SYSCALL msg=audit(1328203534.221:9): arch=c000003e syscall=4 success=yes exit=0 a0=40bc68 a1=7fff7f6d2520 a2=7fff7f6d2520 a3=7fff7f6d22a0 items=0 ppid=1108 pid=1143 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="eventlogd" exe="/opt/likewise/sbin/eventlogd" subj=system_u:system_r:eventlogd_t:s0 key=(null)
type=AVC msg=audit(1328198423.667:9): avc: denied { getattr } for pid=1144 comm="eventlogd" path="/var/lib/likewise/db/lwi_events.db" dev=dm-0 ino=395386 scontext=system_u:system_r:eventlogd_t:s0 tcontext=unconfined_u:object_r:likewise_var_lib_t:s0 tclass=file type=SYSCALL msg=audit(1328198423.667:9): arch=c000003e syscall=4 success=yes exit=0 a0=40bc68 a1=7fff6b605a50 a2=7fff6b605a50 a3=7fff6b6057d0 items=0 ppid=1108 pid=1144 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="eventlogd" exe="/opt/likewise/sbin/eventlogd" subj=system_u:system_r:eventlogd_t:s0 key=(null)
type=AVC msg=audit(1328200531.030:128): avc: denied { getattr } for pid=1486 comm="lsassd" path="/proc/1043" dev=proc ino=10798 scontext=system_u:system_r:lsassd_t:s0 tcontext=system_u:system_r:auditd_t:s0 tclass=dir type=SYSCALL msg=audit(1328200531.030:128): arch=c000003e syscall=4 success=yes exit=0 a0=7f88fc004bb0 a1=7f88e9ff5cf0 a2=7f88e9ff5cf0 a3=fffffffc items=0 ppid=1108 pid=1486 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="lsassd" exe="/opt/likewise/sbin/lsassd" subj=system_u:system_r:lsassd_t:s0 key=(null)
type=AVC msg=audit(1328198350.870:21214): avc: denied { getattr } for pid=1912 comm="lwsmd" path="/etc/likewise/likewise-krb5-ad.conf" dev=dm-0 ino=786321 scontext=system_u:system_r:lwsmd_t:s0 tcontext=system_u:object_r:likewise_krb5_ad_t:s0 tclass=file type=SYSCALL msg=audit(1328198350.870:21214): arch=c000003e syscall=4 success=yes exit=0 a0=7f2790001828 a1=7f27a25718c0 a2=7f27a25718c0 a3=0 items=0 ppid=1 pid=1912 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="lwsmd" exe="/opt/likewise/sbin/lwsmd" subj=system_u:system_r:lwsmd_t:s0 key=(null)
type=AVC msg=audit(1328198350.864:21212): avc: denied { getattr } for pid=1912 comm="lwsmd" path="/var/lib/likewise/krb5-affinity.conf" dev=dm-0 ino=395406 scontext=system_u:system_r:lwsmd_t:s0 tcontext=system_u:object_r:netlogond_var_lib_t:s0 tclass=file type=SYSCALL msg=audit(1328198350.864:21212): arch=c000003e syscall=4 success=yes exit=0 a0=7f2790000e08 a1=7f27a25718c0 a2=7f27a25718c0 a3=0 items=0 ppid=1 pid=1912 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="lwsmd" exe="/opt/likewise/sbin/lwsmd" subj=system_u:system_r:lwsmd_t:s0 key=(null)
type=AVC msg=audit(1328203469.517:203): avc: denied { getattr } for pid=2428 comm="lwsmd" path="/etc/likewise/likewise-krb5-ad.conf" dev=dm-0 ino=786321 scontext=system_u:system_r:lwsmd_t:s0 tcontext=system_u:object_r:likewise_krb5_ad_t:s0 tclass=file type=SYSCALL msg=audit(1328203469.517:203): arch=c000003e syscall=4 success=yes exit=0 a0=7f48980018f8 a1=7f48adc558c0 a2=7f48adc558c0 a3=0 items=0 ppid=1 pid=2428 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="lwsmd" exe="/opt/likewise/sbin/lwsmd" subj=system_u:system_r:lwsmd_t:s0 key=(null)
type=AVC msg=audit(1328203469.508:201): avc: denied { getattr } for pid=2428 comm="lwsmd" path="/var/lib/likewise/krb5-affinity.conf" dev=dm-0 ino=395410 scontext=system_u:system_r:lwsmd_t:s0 tcontext=system_u:object_r:netlogond_var_lib_t:s0 tclass=file type=SYSCALL msg=audit(1328203469.508:201): arch=c000003e syscall=4 success=yes exit=0 a0=7f4898000a18 a1=7f48adc558c0 a2=7f48adc558c0 a3=0 items=0 ppid=1 pid=2428 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="lwsmd" exe="/opt/likewise/sbin/lwsmd" subj=system_u:system_r:lwsmd_t:s0 key=(null)
type=AVC msg=audit(1328198423.037:5): avc: denied { lock } for pid=1108 comm="lwsmd" path="/var/lib/likewise/.lwsmd-lock" dev=dm-0 ino=395380 scontext=system_u:system_r:lwsmd_t:s0 tcontext=unconfined_u:object_r:likewise_var_lib_t:s0 tclass=file type=SYSCALL msg=audit(1328198423.037:5): arch=c000003e syscall=72 success=yes exit=0 a0=3 a1=6 a2=7fff74251500 a3=7fff74251280 items=0 ppid=1 pid=1108 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="lwsmd" exe="/opt/ likewise/sbin/lwsmd" subj=system_u:system_r:lwsmd_t:s0 key=(null)
type=AVC msg=audit(1328198424.260:19): avc: denied { lock } for pid=1151 comm="eventlogd" path="/var/lib/likewise/db/lwi_events.db" dev=dm-0 ino=395386 scontext=system_u:system_r:eventlogd_t:s0 tcontext=unconfined_u:object_r:likewise_var_lib_t:s0 tclass=file type=SYSCALL msg=audit(1328198424.260:19): arch=c000003e syscall=72 success=yes exit=0 a0=9 a1=6 a2=7f2341dd20f0 a3=7f2341dd1e60 items=0 ppid=1108 pid=1151 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="eventlogd" exe="/ opt/likewise/sbin/eventlogd" subj=system_u:system_r:eventlogd_t:s0 key=(null)
type=AVC msg=audit(1328198423.032:4): avc: denied { write } for pid=1108 comm="lwsmd" name=".lwsmd-lock" dev=dm-0 ino=395380 scontext=system_u:system_r:lwsmd_t:s0 tcontext=unconfined_u:object_r:likewise_var_lib_t:s0 tclass=file type=AVC msg=audit(1328198423.032:4): avc: denied { open } for pid=1108 comm="lwsmd" name=".lwsmd-lock" dev=dm-0 ino=395380 scontext=system_u:system_r:lwsmd_t:s0 tcontext=unconfined_u:object_r:likewise_var_lib_t:s0 tclass=file type=SYSCALL msg=audit(1328198423.032:4): arch=c000003e syscall=2 success=yes exit=3 a0=4081ff a1=241 a2=80 a3=7fff74251280 items=0 ppid=1 pid=1108 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="lwsmd" exe="/opt/ likewise/sbin/lwsmd" subj=system_u:system_r:lwsmd_t:s0 key=(null)
type=AVC msg=audit(1328198423.043:6): avc: denied { read } for pid=1108 comm="lwsmd" name="stat" dev=proc ino=4026532032 scontext=system_u:system_r:lwsmd_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file type=AVC msg=audit(1328198423.043:6): avc: denied { open } for pid=1108 comm="lwsmd" name="stat" dev=proc ino=4026532032 scontext=system_u:system_r:lwsmd_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file type=SYSCALL msg=audit(1328198423.043:6): arch=c000003e syscall=2 success=yes exit=7 a0=361cb6372e a1=80000 a2=1fffdd09458b a3=7fff74251200 items=0 ppid=1 pid=1108 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="lwsmd" exe="/opt/likewise/sbin/lwsmd" subj=system_u:system_r:lwsmd_t:s0 key=(null)
type=AVC msg=audit(1328198423.343:8): avc: denied { read } for pid=1112 comm="lwregd" name="stat" dev=proc ino=4026532032 scontext=system_u:system_r:lwregd_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file type=AVC msg=audit(1328198423.343:8): avc: denied { open } for pid=1112 comm="lwregd" name="stat" dev=proc ino=4026532032 scontext=system_u:system_r:lwregd_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file type=SYSCALL msg=audit(1328198423.343:8): arch=c000003e syscall=2 success=yes exit=5 a0=361cb6372e a1=80000 a2=1ffffbf31283 a3=7fffefcc4590 items=0 ppid=1108 pid=1112 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="lwregd" exe="/opt/likewise/sbin/lwregd" subj=system_u:system_r:lwregd_t:s0 key=(null)
type=AVC msg=audit(1328203534.538:15): avc: denied { read } for pid=1141 comm="lwsmd" name="krb5-affinity.conf" dev=dm-0 ino=395410 scontext=system_u:system_r:lwsmd_t:s0 tcontext=system_u:object_r:netlogond_var_lib_t:s0 tclass=file type=AVC msg=audit(1328203534.538:15): avc: denied { open } for pid=1141 comm="lwsmd" name="krb5-affinity.conf" dev=dm-0 ino=395410 scontext=system_u:system_r:lwsmd_t:s0 tcontext=system_u:object_r:netlogond_var_lib_t:s0 tclass=file type=SYSCALL msg=audit(1328203534.538:15): arch=c000003e syscall=2 success=yes exit=11 a0=7f5e28001368 a1=0 a2=1b6 a3=0 items=0 ppid=1 pid=1141 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="lwsmd" exe="/opt/ likewise/sbin/lwsmd" subj=system_u:system_r:lwsmd_t:s0 key=(null)
type=AVC msg=audit(1328203534.557:17): avc: denied { read } for pid=1141 comm="lwsmd" name="likewise-krb5-ad.conf" dev=dm-0 ino=786321 scontext=system_u:system_r:lwsmd_t:s0 tcontext=system_u:object_r:likewise_krb5_ad_t:s0 tclass=file type=AVC msg=audit(1328203534.557:17): avc: denied { open } for pid=1141 comm="lwsmd" name="likewise-krb5-ad.conf" dev=dm-0 ino=786321 scontext=system_u:system_r:lwsmd_t:s0 tcontext=system_u:object_r:likewise_krb5_ad_t:s0 tclass=file type=SYSCALL msg=audit(1328203534.557:17): arch=c000003e syscall=2 success=yes exit=11 a0=7f5e28001488 a1=0 a2=1b6 a3=0 items=0 ppid=1 pid=1141 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="lwsmd" exe="/opt/ likewise/sbin/lwsmd" subj=system_u:system_r:lwsmd_t:s0 key=(null)
type=AVC msg=audit(1328198423.996:15): avc: denied { read } for pid=1142 comm="lwsmd" name="krb5-affinity.conf" dev=dm-0 ino=395406 scontext=system_u:system_r:lwsmd_t:s0 tcontext=system_u:object_r:netlogond_var_lib_t:s0 tclass=file type=AVC msg=audit(1328198423.996:15): avc: denied { open } for pid=1142 comm="lwsmd" name="krb5-affinity.conf" dev=dm-0 ino=395406 scontext=system_u:system_r:lwsmd_t:s0 tcontext=system_u:object_r:netlogond_var_lib_t:s0 tclass=file type=SYSCALL msg=audit(1328198423.996:15): arch=c000003e syscall=2 success=yes exit=11 a0=7f4894001368 a1=0 a2=1b6 a3=0 items=0 ppid=1 pid=1142 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="lwsmd" exe="/opt/ likewise/sbin/lwsmd" subj=system_u:system_r:lwsmd_t:s0 key=(null)
type=AVC msg=audit(1328198424.027:17): avc: denied { read } for pid=1142 comm="lwsmd" name="likewise-krb5-ad.conf" dev=dm-0 ino=786321 scontext=system_u:system_r:lwsmd_t:s0 tcontext=system_u:object_r:likewise_krb5_ad_t:s0 tclass=file type=AVC msg=audit(1328198424.027:17): avc: denied { open } for pid=1142 comm="lwsmd" name="likewise-krb5-ad.conf" dev=dm-0 ino=786321 scontext=system_u:system_r:lwsmd_t:s0 tcontext=system_u:object_r:likewise_krb5_ad_t:s0 tclass=file type=SYSCALL msg=audit(1328198424.027:17): arch=c000003e syscall=2 success=yes exit=11 a0=7f4894001488 a1=0 a2=1b6 a3=0 items=0 ppid=1 pid=1142 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="lwsmd" exe="/opt/ likewise/sbin/lwsmd" subj=system_u:system_r:lwsmd_t:s0 key=(null)
type=AVC msg=audit(1328203534.223:10): avc: denied { read } for pid=1143 comm="eventlogd" name="stat" dev=proc ino=4026532032 scontext=system_u:system_r:eventlogd_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file type=AVC msg=audit(1328203534.223:10): avc: denied { open } for pid=1143 comm="eventlogd" name="stat" dev=proc ino=4026532032 scontext=system_u:system_r:eventlogd_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file type=SYSCALL msg=audit(1328203534.223:10): arch=c000003e syscall=2 success=yes exit=4 a0=361cb6372e a1=80000 a2=1fffdfdb4acf a3=7fff7f6d25e0 items=0 ppid=1108 pid=1143 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="eventlogd" exe="/opt/likewise/sbin/eventlogd" subj=system_u:system_r:eventlogd_t:s0 key=(null)
type=AVC msg=audit(1328198423.672:10): avc: denied { read } for pid=1144 comm="eventlogd" name="stat" dev=proc ino=4026532032 scontext=system_u:system_r:eventlogd_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file type=AVC msg=audit(1328198423.672:10): avc: denied { open } for pid=1144 comm="eventlogd" name="stat" dev=proc ino=4026532032 scontext=system_u:system_r:eventlogd_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file type=SYSCALL msg=audit(1328198423.672:10): arch=c000003e syscall=2 success=yes exit=4 a0=361cb6372e a1=80000 a2=1fffdad8181b a3=7fff6b605b10 items=0 ppid=1108 pid=1144 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="eventlogd" exe="/opt/likewise/sbin/eventlogd" subj=system_u:system_r:eventlogd_t:s0 key=(null)
type=AVC msg=audit(1328203534.286:11): avc: denied { read } for pid=1150 comm="netlogond" name="stat" dev=proc ino=4026532032 scontext=system_u:system_r:netlogond_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file type=AVC msg=audit(1328203534.286:11): avc: denied { open } for pid=1150 comm="netlogond" name="stat" dev=proc ino=4026532032 scontext=system_u:system_r:netlogond_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file type=SYSCALL msg=audit(1328203534.286:11): arch=c000003e syscall=2 success=yes exit=4 a0=361cb6372e a1=80000 a2=1fffc0433b53 a3=7fff010ce7b0 items=0 ppid=1108 pid=1150 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="netlogond" exe="/opt/likewise/sbin/netlogond" subj=system_u:system_r:netlogond_t:s0 key=(null)
type=AVC msg=audit(1328198424.259:18): avc: denied { read write } for pid=1151 comm="eventlogd" name="lwi_events.db" dev=dm-0 ino=395386 scontext=system_u:system_r:eventlogd_t:s0 tcontext=unconfined_u:object_r:likewise_var_lib_t:s0 tclass=file type=AVC msg=audit(1328198424.259:18): avc: denied { open } for pid=1151 comm="eventlogd" name="lwi_events.db" dev=dm-0 ino=395386 scontext=system_u:system_r:eventlogd_t:s0 tcontext=unconfined_u:object_r:likewise_var_lib_t:s0 tclass=file type=SYSCALL msg=audit(1328198424.259:18): arch=c000003e syscall=2 success=yes exit=9 a0=7f231c0013e0 a1=42 a2=1a4 a3=7f2341dd2030 items=0 ppid=1108 pid=1151 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="eventlogd" exe="/opt/likewise/sbin/eventlogd" subj=system_u:system_r:eventlogd_t:s0 key=(null)
type=AVC msg=audit(1328198423.748:11): avc: denied { read } for pid=1152 comm="netlogond" name="stat" dev=proc ino=4026532032 scontext=system_u:system_r:netlogond_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file type=AVC msg=audit(1328198423.748:11): avc: denied { open } for pid=1152 comm="netlogond" name="stat" dev=proc ino=4026532032 scontext=system_u:system_r:netlogond_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file type=SYSCALL msg=audit(1328198423.748:11): arch=c000003e syscall=2 success=yes exit=4 a0=361cb6372e a1=80000 a2=1fffca9448f3 a3=7fff2a511e30 items=0 ppid=1108 pid=1152 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="netlogond" exe="/opt/likewise/sbin/netlogond" subj=system_u:system_r:netlogond_t:s0 key=(null)
type=AVC msg=audit(1328198423.936:12): avc: denied { read } for pid=1164 comm="lwiod" name="stat" dev=proc ino=4026532032 scontext=system_u:system_r:lwiod_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file type=AVC msg=audit(1328198423.936:12): avc: denied { open } for pid=1164 comm="lwiod" name="stat" dev=proc ino=4026532032 scontext=system_u:system_r:lwiod_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file type=SYSCALL msg=audit(1328198423.936:12): arch=c000003e syscall=2 success=yes exit=4 a0=361cb6372e a1=80000 a2=1fffc42643f7 a3=7fff10990980 items=0 ppid=1108 pid=1164 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="lwiod" exe="/opt/likewise/sbin/lwiod" subj=system_u:system_r:lwiod_t:s0 key=(null)
type=AVC msg=audit(1328198350.869:21213): avc: denied { read } for pid=1912 comm="lwsmd" name="krb5-affinity.conf" dev=dm-0 ino=395406 scontext=system_u:system_r:lwsmd_t:s0 tcontext=system_u:object_r:netlogond_var_lib_t:s0 tclass=file type=AVC msg=audit(1328198350.869:21213): avc: denied { open } for pid=1912 comm="lwsmd" name="krb5-affinity.conf" dev=dm-0 ino=395406 scontext=system_u:system_r:lwsmd_t:s0 tcontext=system_u:object_r:netlogond_var_lib_t:s0 tclass=file type=SYSCALL msg=audit(1328198350.869:21213): arch=c000003e syscall=2 success=yes exit=4 a0=7f2790000e08 a1=0 a2=1b6 a3=0 items=0 ppid=1 pid=1912 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="lwsmd" exe="/opt/ likewise/sbin/lwsmd" subj=system_u:system_r:lwsmd_t:s0 key=(null)
type=AVC msg=audit(1328198350.873:21215): avc: denied { read } for pid=1912 comm="lwsmd" name="likewise-krb5-ad.conf" dev=dm-0 ino=786321 scontext=system_u:system_r:lwsmd_t:s0 tcontext=system_u:object_r:likewise_krb5_ad_t:s0 tclass=file type=AVC msg=audit(1328198350.873:21215): avc: denied { open } for pid=1912 comm="lwsmd" name="likewise-krb5-ad.conf" dev=dm-0 ino=786321 scontext=system_u:system_r:lwsmd_t:s0 tcontext=system_u:object_r:likewise_krb5_ad_t:s0 tclass=file type=SYSCALL msg=audit(1328198350.873:21215): arch=c000003e syscall=2 success=yes exit=4 a0=7f2790001828 a1=0 a2=1b6 a3=0 items=0 ppid=1 pid=1912 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="lwsmd" exe="/opt/ likewise/sbin/lwsmd" subj=system_u:system_r:lwsmd_t:s0 key=(null)
type=AVC msg=audit(1328203469.517:202): avc: denied { read } for pid=2428 comm="lwsmd" name="krb5-affinity.conf" dev=dm-0 ino=395410 scontext=system_u:system_r:lwsmd_t:s0 tcontext=system_u:object_r:netlogond_var_lib_t:s0 tclass=file type=AVC msg=audit(1328203469.517:202): avc: denied { open } for pid=2428 comm="lwsmd" name="krb5-affinity.conf" dev=dm-0 ino=395410 scontext=system_u:system_r:lwsmd_t:s0 tcontext=system_u:object_r:netlogond_var_lib_t:s0 tclass=file type=SYSCALL msg=audit(1328203469.517:202): arch=c000003e syscall=2 success=yes exit=4 a0=7f4898000a18 a1=0 a2=1b6 a3=0 items=0 ppid=1 pid=2428 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="lwsmd" exe="/opt/ likewise/sbin/lwsmd" subj=system_u:system_r:lwsmd_t:s0 key=(null)
type=AVC msg=audit(1328203469.518:204): avc: denied { read } for pid=2428 comm="lwsmd" name="likewise-krb5-ad.conf" dev=dm-0 ino=786321 scontext=system_u:system_r:lwsmd_t:s0 tcontext=system_u:object_r:likewise_krb5_ad_t:s0 tclass=file type=AVC msg=audit(1328203469.518:204): avc: denied { open } for pid=2428 comm="lwsmd" name="likewise-krb5-ad.conf" dev=dm-0 ino=786321 scontext=system_u:system_r:lwsmd_t:s0 tcontext=system_u:object_r:likewise_krb5_ad_t:s0 tclass=file type=SYSCALL msg=audit(1328203469.518:204): arch=c000003e syscall=2 success=yes exit=4 a0=7f48980018f8 a1=0 a2=1b6 a3=0 items=0 ppid=1 pid=2428 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="lwsmd" exe="/opt/ likewise/sbin/lwsmd" subj=system_u:system_r:lwsmd_t:s0 key=(null)
type=AVC msg=audit(1328198424.259:18): avc: denied { read write } for pid=1151 comm="eventlogd" name="lwi_events.db" dev=dm-0 ino=395386 scontext=system_u:system_r:eventlogd_t:s0 tcontext=unconfined_u:object_r:likewise_var_lib_t:s0 tclass=file type=AVC msg=audit(1328198424.259:18): avc: denied { open } for pid=1151 comm="eventlogd" name="lwi_events.db" dev=dm-0 ino=395386 scontext=system_u:system_r:eventlogd_t:s0 tcontext=unconfined_u:object_r:likewise_var_lib_t:s0 tclass=file type=SYSCALL msg=audit(1328198424.259:18): arch=c000003e syscall=2 success=yes exit=9 a0=7f231c0013e0 a1=42 a2=1a4 a3=7f2341dd2030 items=0 ppid=1108 pid=1151 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="eventlogd" exe="/opt/likewise/sbin/eventlogd" subj=system_u:system_r:eventlogd_t:s0 key=(null)
type=AVC msg=audit(1328198423.043:6): avc: denied { read } for pid=1108 comm="lwsmd" name="stat" dev=proc ino=4026532032 scontext=system_u:system_r:lwsmd_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file type=AVC msg=audit(1328198423.043:6): avc: denied { open } for pid=1108 comm="lwsmd" name="stat" dev=proc ino=4026532032 scontext=system_u:system_r:lwsmd_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file type=SYSCALL msg=audit(1328198423.043:6): arch=c000003e syscall=2 success=yes exit=7 a0=361cb6372e a1=80000 a2=1fffdd09458b a3=7fff74251200 items=0 ppid=1 pid=1108 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="lwsmd" exe="/opt/likewise/sbin/lwsmd" subj=system_u:system_r:lwsmd_t:s0 key=(null)
type=AVC msg=audit(1328198423.343:8): avc: denied { read } for pid=1112 comm="lwregd" name="stat" dev=proc ino=4026532032 scontext=system_u:system_r:lwregd_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file type=AVC msg=audit(1328198423.343:8): avc: denied { open } for pid=1112 comm="lwregd" name="stat" dev=proc ino=4026532032 scontext=system_u:system_r:lwregd_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file type=SYSCALL msg=audit(1328198423.343:8): arch=c000003e syscall=2 success=yes exit=5 a0=361cb6372e a1=80000 a2=1ffffbf31283 a3=7fffefcc4590 items=0 ppid=1108 pid=1112 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="lwregd" exe="/opt/likewise/sbin/lwregd" subj=system_u:system_r:lwregd_t:s0 key=(null)
type=AVC msg=audit(1328203534.538:15): avc: denied { read } for pid=1141 comm="lwsmd" name="krb5-affinity.conf" dev=dm-0 ino=395410 scontext=system_u:system_r:lwsmd_t:s0 tcontext=system_u:object_r:netlogond_var_lib_t:s0 tclass=file type=AVC msg=audit(1328203534.538:15): avc: denied { open } for pid=1141 comm="lwsmd" name="krb5-affinity.conf" dev=dm-0 ino=395410 scontext=system_u:system_r:lwsmd_t:s0 tcontext=system_u:object_r:netlogond_var_lib_t:s0 tclass=file type=SYSCALL msg=audit(1328203534.538:15): arch=c000003e syscall=2 success=yes exit=11 a0=7f5e28001368 a1=0 a2=1b6 a3=0 items=0 ppid=1 pid=1141 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="lwsmd" exe="/opt/ likewise/sbin/lwsmd" subj=system_u:system_r:lwsmd_t:s0 key=(null)
type=AVC msg=audit(1328203534.557:17): avc: denied { read } for pid=1141 comm="lwsmd" name="likewise-krb5-ad.conf" dev=dm-0 ino=786321 scontext=system_u:system_r:lwsmd_t:s0 tcontext=system_u:object_r:likewise_krb5_ad_t:s0 tclass=file type=AVC msg=audit(1328203534.557:17): avc: denied { open } for pid=1141 comm="lwsmd" name="likewise-krb5-ad.conf" dev=dm-0 ino=786321 scontext=system_u:system_r:lwsmd_t:s0 tcontext=system_u:object_r:likewise_krb5_ad_t:s0 tclass=file type=SYSCALL msg=audit(1328203534.557:17): arch=c000003e syscall=2 success=yes exit=11 a0=7f5e28001488 a1=0 a2=1b6 a3=0 items=0 ppid=1 pid=1141 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="lwsmd" exe="/opt/ likewise/sbin/lwsmd" subj=system_u:system_r:lwsmd_t:s0 key=(null)
type=AVC msg=audit(1328198423.996:15): avc: denied { read } for pid=1142 comm="lwsmd" name="krb5-affinity.conf" dev=dm-0 ino=395406 scontext=system_u:system_r:lwsmd_t:s0 tcontext=system_u:object_r:netlogond_var_lib_t:s0 tclass=file type=AVC msg=audit(1328198423.996:15): avc: denied { open } for pid=1142 comm="lwsmd" name="krb5-affinity.conf" dev=dm-0 ino=395406 scontext=system_u:system_r:lwsmd_t:s0 tcontext=system_u:object_r:netlogond_var_lib_t:s0 tclass=file type=SYSCALL msg=audit(1328198423.996:15): arch=c000003e syscall=2 success=yes exit=11 a0=7f4894001368 a1=0 a2=1b6 a3=0 items=0 ppid=1 pid=1142 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="lwsmd" exe="/opt/ likewise/sbin/lwsmd" subj=system_u:system_r:lwsmd_t:s0 key=(null)
type=AVC msg=audit(1328198424.027:17): avc: denied { read } for pid=1142 comm="lwsmd" name="likewise-krb5-ad.conf" dev=dm-0 ino=786321 scontext=system_u:system_r:lwsmd_t:s0 tcontext=system_u:object_r:likewise_krb5_ad_t:s0 tclass=file type=AVC msg=audit(1328198424.027:17): avc: denied { open } for pid=1142 comm="lwsmd" name="likewise-krb5-ad.conf" dev=dm-0 ino=786321 scontext=system_u:system_r:lwsmd_t:s0 tcontext=system_u:object_r:likewise_krb5_ad_t:s0 tclass=file type=SYSCALL msg=audit(1328198424.027:17): arch=c000003e syscall=2 success=yes exit=11 a0=7f4894001488 a1=0 a2=1b6 a3=0 items=0 ppid=1 pid=1142 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="lwsmd" exe="/opt/ likewise/sbin/lwsmd" subj=system_u:system_r:lwsmd_t:s0 key=(null)
type=AVC msg=audit(1328203534.223:10): avc: denied { read } for pid=1143 comm="eventlogd" name="stat" dev=proc ino=4026532032 scontext=system_u:system_r:eventlogd_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file type=AVC msg=audit(1328203534.223:10): avc: denied { open } for pid=1143 comm="eventlogd" name="stat" dev=proc ino=4026532032 scontext=system_u:system_r:eventlogd_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file type=SYSCALL msg=audit(1328203534.223:10): arch=c000003e syscall=2 success=yes exit=4 a0=361cb6372e a1=80000 a2=1fffdfdb4acf a3=7fff7f6d25e0 items=0 ppid=1108 pid=1143 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="eventlogd" exe="/opt/likewise/sbin/eventlogd" subj=system_u:system_r:eventlogd_t:s0 key=(null)
type=AVC msg=audit(1328198423.672:10): avc: denied { read } for pid=1144 comm="eventlogd" name="stat" dev=proc ino=4026532032 scontext=system_u:system_r:eventlogd_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file type=AVC msg=audit(1328198423.672:10): avc: denied { open } for pid=1144 comm="eventlogd" name="stat" dev=proc ino=4026532032 scontext=system_u:system_r:eventlogd_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file type=SYSCALL msg=audit(1328198423.672:10): arch=c000003e syscall=2 success=yes exit=4 a0=361cb6372e a1=80000 a2=1fffdad8181b a3=7fff6b605b10 items=0 ppid=1108 pid=1144 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="eventlogd" exe="/opt/likewise/sbin/eventlogd" subj=system_u:system_r:eventlogd_t:s0 key=(null)
type=AVC msg=audit(1328203534.286:11): avc: denied { read } for pid=1150 comm="netlogond" name="stat" dev=proc ino=4026532032 scontext=system_u:system_r:netlogond_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file type=AVC msg=audit(1328203534.286:11): avc: denied { open } for pid=1150 comm="netlogond" name="stat" dev=proc ino=4026532032 scontext=system_u:system_r:netlogond_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file type=SYSCALL msg=audit(1328203534.286:11): arch=c000003e syscall=2 success=yes exit=4 a0=361cb6372e a1=80000 a2=1fffc0433b53 a3=7fff010ce7b0 items=0 ppid=1108 pid=1150 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="netlogond" exe="/opt/likewise/sbin/netlogond" subj=system_u:system_r:netlogond_t:s0 key=(null)
type=AVC msg=audit(1328198423.748:11): avc: denied { read } for pid=1152 comm="netlogond" name="stat" dev=proc ino=4026532032 scontext=system_u:system_r:netlogond_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file type=AVC msg=audit(1328198423.748:11): avc: denied { open } for pid=1152 comm="netlogond" name="stat" dev=proc ino=4026532032 scontext=system_u:system_r:netlogond_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file type=SYSCALL msg=audit(1328198423.748:11): arch=c000003e syscall=2 success=yes exit=4 a0=361cb6372e a1=80000 a2=1fffca9448f3 a3=7fff2a511e30 items=0 ppid=1108 pid=1152 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="netlogond" exe="/opt/likewise/sbin/netlogond" subj=system_u:system_r:netlogond_t:s0 key=(null)
type=AVC msg=audit(1328198423.936:12): avc: denied { read } for pid=1164 comm="lwiod" name="stat" dev=proc ino=4026532032 scontext=system_u:system_r:lwiod_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file type=AVC msg=audit(1328198423.936:12): avc: denied { open } for pid=1164 comm="lwiod" name="stat" dev=proc ino=4026532032 scontext=system_u:system_r:lwiod_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file type=SYSCALL msg=audit(1328198423.936:12): arch=c000003e syscall=2 success=yes exit=4 a0=361cb6372e a1=80000 a2=1fffc42643f7 a3=7fff10990980 items=0 ppid=1108 pid=1164 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="lwiod" exe="/opt/likewise/sbin/lwiod" subj=system_u:system_r:lwiod_t:s0 key=(null)
type=AVC msg=audit(1328198350.869:21213): avc: denied { read } for pid=1912 comm="lwsmd" name="krb5-affinity.conf" dev=dm-0 ino=395406 scontext=system_u:system_r:lwsmd_t:s0 tcontext=system_u:object_r:netlogond_var_lib_t:s0 tclass=file type=AVC msg=audit(1328198350.869:21213): avc: denied { open } for pid=1912 comm="lwsmd" name="krb5-affinity.conf" dev=dm-0 ino=395406 scontext=system_u:system_r:lwsmd_t:s0 tcontext=system_u:object_r:netlogond_var_lib_t:s0 tclass=file type=SYSCALL msg=audit(1328198350.869:21213): arch=c000003e syscall=2 success=yes exit=4 a0=7f2790000e08 a1=0 a2=1b6 a3=0 items=0 ppid=1 pid=1912 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="lwsmd" exe="/opt/ likewise/sbin/lwsmd" subj=system_u:system_r:lwsmd_t:s0 key=(null)
type=AVC msg=audit(1328198350.873:21215): avc: denied { read } for pid=1912 comm="lwsmd" name="likewise-krb5-ad.conf" dev=dm-0 ino=786321 scontext=system_u:system_r:lwsmd_t:s0 tcontext=system_u:object_r:likewise_krb5_ad_t:s0 tclass=file type=AVC msg=audit(1328198350.873:21215): avc: denied { open } for pid=1912 comm="lwsmd" name="likewise-krb5-ad.conf" dev=dm-0 ino=786321 scontext=system_u:system_r:lwsmd_t:s0 tcontext=system_u:object_r:likewise_krb5_ad_t:s0 tclass=file type=SYSCALL msg=audit(1328198350.873:21215): arch=c000003e syscall=2 success=yes exit=4 a0=7f2790001828 a1=0 a2=1b6 a3=0 items=0 ppid=1 pid=1912 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="lwsmd" exe="/opt/ likewise/sbin/lwsmd" subj=system_u:system_r:lwsmd_t:s0 key=(null)
type=AVC msg=audit(1328203469.517:202): avc: denied { read } for pid=2428 comm="lwsmd" name="krb5-affinity.conf" dev=dm-0 ino=395410 scontext=system_u:system_r:lwsmd_t:s0 tcontext=system_u:object_r:netlogond_var_lib_t:s0 tclass=file type=AVC msg=audit(1328203469.517:202): avc: denied { open } for pid=2428 comm="lwsmd" name="krb5-affinity.conf" dev=dm-0 ino=395410 scontext=system_u:system_r:lwsmd_t:s0 tcontext=system_u:object_r:netlogond_var_lib_t:s0 tclass=file type=SYSCALL msg=audit(1328203469.517:202): arch=c000003e syscall=2 success=yes exit=4 a0=7f4898000a18 a1=0 a2=1b6 a3=0 items=0 ppid=1 pid=2428 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="lwsmd" exe="/opt/ likewise/sbin/lwsmd" subj=system_u:system_r:lwsmd_t:s0 key=(null)
type=AVC msg=audit(1328203469.518:204): avc: denied { read } for pid=2428 comm="lwsmd" name="likewise-krb5-ad.conf" dev=dm-0 ino=786321 scontext=system_u:system_r:lwsmd_t:s0 tcontext=system_u:object_r:likewise_krb5_ad_t:s0 tclass=file type=AVC msg=audit(1328203469.518:204): avc: denied { open } for pid=2428 comm="lwsmd" name="likewise-krb5-ad.conf" dev=dm-0 ino=786321 scontext=system_u:system_r:lwsmd_t:s0 tcontext=system_u:object_r:likewise_krb5_ad_t:s0 tclass=file type=SYSCALL msg=audit(1328203469.518:204): arch=c000003e syscall=2 success=yes exit=4 a0=7f48980018f8 a1=0 a2=1b6 a3=0 items=0 ppid=1 pid=2428 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="lwsmd" exe="/opt/ likewise/sbin/lwsmd" subj=system_u:system_r:lwsmd_t:s0 key=(null)
type=AVC msg=audit(1328198423.053:7): avc: denied { setpgid } for pid=1112 comm="lwsmd" scontext=system_u:system_r:lwsmd_t:s0 tcontext=system_u:system_r:lwsmd_t:s0 tclass=process type=SYSCALL msg=audit(1328198423.053:7): arch=c000003e syscall=109 success=yes exit=0 a0=458 a1=458 a2=458 a3=361d017240 items=0 ppid=1108 pid=1112 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="lwsmd" exe="/opt/ likewise/sbin/lwsmd" subj=system_u:system_r:lwsmd_t:s0 key=(null)
type=AVC msg=audit(1328198423.945:13): avc: denied { setrlimit } for pid=1164 comm="lwiod" scontext=system_u:system_r:lwiod_t:s0 tcontext=system_u:system_r:lwiod_t:s0 tclass=process type=AVC msg=audit(1328198423.945:13): avc: denied { sys_resource } for pid=1164 comm="lwiod" capability=24 scontext=system_u:system_r:lwiod_t:s0 tcontext=system_u:system_r:lwiod_t:s0 tclass=capability type=SYSCALL msg=audit(1328198423.945:13): arch=c000003e syscall=160 success=yes exit=0 a0=7 a1=7fff10990e60 a2=7fff10990e10 a3=7fff10990b50 items=0 ppid=1108 pid=1164 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="lwiod" exe="/opt/likewise/sbin/lwiod" subj=system_u:system_r:lwiod_t:s0 key=(null)
type=AVC msg=audit(1328198423.945:13): avc: denied { setrlimit } for pid=1164 comm="lwiod" scontext=system_u:system_r:lwiod_t:s0 tcontext=system_u:system_r:lwiod_t:s0 tclass=process type=AVC msg=audit(1328198423.945:13): avc: denied { sys_resource } for pid=1164 comm="lwiod" capability=24 scontext=system_u:system_r:lwiod_t:s0 tcontext=system_u:system_r:lwiod_t:s0 tclass=capability type=SYSCALL msg=audit(1328198423.945:13): arch=c000003e syscall=160 success=yes exit=0 a0=7 a1=7fff10990e60 a2=7fff10990e10 a3=7fff10990b50 items=0 ppid=1108 pid=1164 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="lwiod" exe="/opt/likewise/sbin/lwiod" subj=system_u:system_r:lwiod_t:s0 key=(null)
type=AVC msg=audit(1328198423.032:4): avc: denied { write } for pid=1108 comm="lwsmd" name=".lwsmd-lock" dev=dm-0 ino=395380 scontext=system_u:system_r:lwsmd_t:s0 tcontext=unconfined_u:object_r:likewise_var_lib_t:s0 tclass=file type=AVC msg=audit(1328198423.032:4): avc: denied { open } for pid=1108 comm="lwsmd" name=".lwsmd-lock" dev=dm-0 ino=395380 scontext=system_u:system_r:lwsmd_t:s0 tcontext=unconfined_u:object_r:likewise_var_lib_t:s0 tclass=file type=SYSCALL msg=audit(1328198423.032:4): arch=c000003e syscall=2 success=yes exit=3 a0=4081ff a1=241 a2=80 a3=7fff74251280 items=0 ppid=1 pid=1108 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="lwsmd" exe="/opt/ likewise/sbin/lwsmd" subj=system_u:system_r:lwsmd_t:s0 key=(null)
type=AVC msg=audit(1328198424.686:20): avc: denied { write } for pid=1165 comm="lwiod" name=".netlogond" dev=dm-0 ino=393091 scontext=system_u:system_r:lwiod_t:s0 tcontext=system_u:object_r:netlogond_var_socket_t:s0 tclass=sock_file type=AVC msg=audit(1328198424.686:20): avc: denied { connectto } for pid=1165 comm="lwiod" path="/var/lib/likewise/.netlogond" scontext=system_u:system_r:lwiod_t:s0 tcontext=system_u:system_r:netlogond_t:s0 tclass=unix_stream_socket type=SYSCALL msg=audit(1328198424.686:20): arch=c000003e syscall=42 success=yes exit=0 a0=a a1=7fdbec624450 a2=6e a3=10 items=0 ppid=1108 pid=1165 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="lwiod" exe="/opt/ likewise/sbin/lwiod" subj=system_u:system_r:lwiod_t:s0 key=(null)
type=AVC msg=audit(1328203535.270:20): avc: denied { write } for pid=1165 comm="lwiod" name=".netlogond" dev=dm-0 ino=394189 scontext=system_u:system_r:lwiod_t:s0 tcontext=system_u:object_r:netlogond_var_socket_t:s0 tclass=sock_file type=AVC msg=audit(1328203535.270:20): avc: denied { connectto } for pid=1165 comm="lwiod" path="/var/lib/likewise/.netlogond" scontext=system_u:system_r:lwiod_t:s0 tcontext=system_u:system_r:netlogond_t:s0 tclass=unix_stream_socket type=SYSCALL msg=audit(1328203535.270:20): arch=c000003e syscall=42 success=yes exit=0 a0=a a1=7fa6e0f14450 a2=6e a3=10 items=0 ppid=1108 pid=1165 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="lwiod" exe="/opt/ likewise/sbin/lwiod" subj=system_u:system_r:lwiod_t:s0 key=(null)
On Feb 2, 2012, at 5:58 PM, Maria Iano wrote:
On Feb 1, 2012, at 4:53 PM, Dominick Grift wrote:
On Wed, 2012-02-01 at 15:05 -0500, Maria Iano wrote:
On Feb 1, 2012, at 1:32 PM, Dominick Grift wrote:
On Tue, 2012-01-31 at 17:33 -0500, Maria Iano wrote:
I have a RHEL 6.2 server running LikewiseOpen. It appears to me that I will take care of a large number of denials if I can change the type of /var/lib/likewise/.lsassd to be lsassd_var_socket_t.
I added the file context rule with semanage, and used restorecon to change it to lsassd_var_socket_t as desired. But later I found that / var/lib/likewise/.lsassd had type var_lib_t again. I assume that is because the likewise processes run as initrc_t.
Why are the likewise processes running in initrc_t?
Are the likewise executable files in their proper location:
/usr/sbin/dcerpcd -- gen_context(system_u:object_r:dcerpcd_exec_t,s0) /usr/sbin/eventlogd -- gen_context(system_u:object_r:eventlogd_exec_t,s0) /usr/sbin/lsassd -- gen_context(system_u:object_r:lsassd_exec_t,s0) /usr/sbin/lwiod -- gen_context(system_u:object_r:lwiod_exec_t,s0) /usr/sbin/lwregd -- gen_context(system_u:object_r:lwregd_exec_t,s0) /usr/sbin/lwsmd -- gen_context(system_u:object_r:lwsmd_exec_t,s0) /usr/sbin/netlogond -- gen_context(system_u:object_r:netlogond_exec_t,s0) /usr/sbin/srvsvcd -- gen_context(system_u:object_r:srvsvcd_exec_t,s0)
I'd like to change the policy and tell it that services running in either initrc_t or unconfined_t domains should create the file / var/ lib/likewise/.lsassd with type lsassd_var_socket_t. (A command line tool lwsm for managing the processes runs in unconfined_t so I'd like to include that domain to be safe. ) How can I go about doing that in RHEL 6 (or can I)?
That is not possible but if you label /var/lib/likewise:
semanage fcontext -a -t likewise_var_lib_t "/var/lib/ likewise(/.*)?"
And configure restorecond to watch /var/lib/likewise then the file will be reset to the proper type when restorecond notices that its mislabeled.
The policy for likewise was written by the people of likewise. I helped with it a bit. I think we collaborated on the selinux maillist but i could not find the thread about it in short noticed. (i was looking for the e-mail address of the likewise policy author so that i can ask him to see if the policy is still up-to-date)
It may be that the policy is not maintained optimally.
Maybe you can help us revisit it?
Those files are all under /opt/likewise/sbin on this system (although there is no srvsvcd): /opt/likewise/sbin/dcerpcd /opt/likewise/sbin/eventlogd /opt/likewise/sbin/lsassd /opt/likewise/sbin/lwiod /opt/likewise/sbin/lwregd /opt/likewise/sbin/lwsmd /opt/likewise/sbin/netlogond
Also the directories corresponding to /etc/likewise-open and /var/ lib/ likewise-open are actually /etc/likewise and /var/lib/likewise on my system.
My system is RHEL 6.2 and I installed LikewiseOpen by downloading LikewiseOpen-6.1.0.8729-linux-x86_64-rpm.sh, making it executable, and typing: ./LikewiseOpen-6.1.0.8729-linux-x86_64-rpm.sh install
So I think it is installed with all the defaults.
I would be very happy to help. I would really like for selinux and likewise to coexist comfortably.
Why that's great
Here is a list with all file contexts for likewise files:
http://git.fedorahosted.org/git/?p=selinux-policy.git;a=blob;f=policy/module...
Basically what i would do if i were you is add file context specifications using "semanage fcontext" or a custom .fc file of all the entries in there matching files on your system:
example:
/usr/sbin/lsassd -- gen_context(system_u:object_r:lsassd_exec_t,s0)
would be:
semanage fcontext -a -t lsassd_exec_t -f -- "/opt/likewise/sbin/ lsassd"
and:
/var/lib/likewise-open/.lsassd -s gen_context(system_u:object_r:lsassd_var_socket_t,s0)
would be:
semanage fcontext -a -t lsassd_var_socket_t -f -s "/var/lib/likewise-open/.lsassd"
When all is added you can use matchpathcon to verify whether the type matches what youve specified. Example:
matchpathcon /opt/likewise/sbin/lsassd
and if that is verified to be correct actually apply the contexts by running for example:
restorecon -R -v /opt/likewise/sbin/lsassd
Then you should try it out, collect any AVC denials that you are seeing and enclose those so that we can analyze them and fix bugs where possible.
If you have any questions or comments do not hesitate to ask.
I am looking forward to your reply.
On a CentOS 6.2 system which had never had likewise installed, I ran the corresponding semanage commands to these file contexts:
/etc/likewise(/.*)? gen_context(system_u:object_r:likewise_etc_t,s0) /etc/likewise/.pstore.lock -- gen_context(system_u:object_r:likewise_pstore_lock_t,s0) /etc/likewise/likewise-krb5-ad.conf -- gen_context(system_u:object_r:likewise_krb5_ad_t,s0)
/etc/rc.d/init.d/likewise -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0) /etc/rc.d/init.d/lwsmd -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0) /etc/rc.d/init.d/netlogond -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0)
/opt/likewise/sbin/dcerpcd -- gen_context(system_u:object_r:dcerpcd_exec_t,s0) /opt/likewise/sbin/eventlogd -- gen_context(system_u:object_r:eventlogd_exec_t,s0) /opt/likewise/sbin/lsassd -- gen_context(system_u:object_r:lsassd_exec_t,s0) /opt/likewise/sbin/lwiod -- gen_context(system_u:object_r:lwiod_exec_t,s0) /opt/likewise/sbin/lwregd -- gen_context(system_u:object_r:lwregd_exec_t,s0) /opt/likewise/sbin/lwsmd -- gen_context(system_u:object_r:lwsmd_exec_t,s0) /opt/likewise/sbin/netlogond -- gen_context(system_u:object_r:netlogond_exec_t,s0)
/var/lib/likewise(/.*)? gen_context(system_u:object_r:likewise_var_lib_t,s0) /var/lib/likewise/.lsassd -s gen_context(system_u:object_r:lsassd_var_socket_t,s0) /var/lib/likewise/.lwiod -s gen_context(system_u:object_r:lwiod_var_socket_t,s0) /var/lib/likewise/.regsd -s gen_context(system_u:object_r:lwregd_var_socket_t,s0) /var/lib/likewise/.lwsm -s gen_context(system_u:object_r:lwsmd_var_socket_t,s0) /var/lib/likewise/.netlogond -s gen_context(system_u:object_r:netlogond_var_socket_t,s0) /var/lib/likewise/.ntlmd -s gen_context(system_u:object_r:lsassd_var_socket_t,s0) /var/lib/likewise/krb5-affinity.conf -- gen_context(system_u:object_r:netlogond_var_lib_t, s0) /var/lib/likewise/krb5ccr_lsass -- gen_context(system_u:object_r:lsassd_var_lib_t, s0) /var/lib/likewise/LWNetsd.err -- gen_context(system_u:object_r:netlogond_var_lib_t,s0) /var/lib/likewise/lsasd.err -- gen_context(system_u:object_r:lsassd_var_lib_t,s0) /var/lib/likewise/regsd.err -- gen_context(system_u:object_r:lwregd_var_lib_t,s0) /var/lib/likewise/db -d gen_context(system_u:object_r:likewise_var_lib_t,s0) /var/lib/likewise/db/lwi_events.db -- gen_context(system_u:object_r:eventlogd_var_lib_t,s0) /var/lib/likewise/db/sam.db -- gen_context(system_u:object_r:lsassd_var_lib_t,s0) /var/lib/likewise/db/lsass-adcache.db -- gen_context(system_u:object_r:lsassd_var_lib_t,s0) /var/lib/likewise/db/lsass-adstate.filedb -- gen_context(system_u:object_r:lsassd_var_lib_t,s0) /var/lib/likewise/db/registry.db -- gen_context(system_u:object_r:lwregd_var_lib_t,s0) /var/lib/likewise/rpc -d gen_context(system_u:object_r:likewise_var_lib_t,s0) /var/lib/likewise/rpc/epmapper -s gen_context(system_u:object_r:dcerpcd_var_socket_t, s0) /var/lib/likewise/rpc/lsass -s gen_context(system_u:object_r:lsassd_var_socket_t, s0) /var/lib/likewise/rpc/socket -s gen_context(system_u:object_r:eventlogd_var_socket_t, s0) /var/lib/likewise/run -d gen_context(system_u:object_r:likewise_var_lib_t,s0) /var/lib/likewise/run/rpcdep.dat -- gen_context(system_u:object_r:dcerpcd_var_lib_t, s0)
I then installed LikewiseOpen with LikewiseOpen-6.1.0.8729-linux- x86_64-rpm.sh. I joined the computer to the AD domain and rebooted.
The first two denials were due to incorrect labeling of /var/lib/ likewise/db/registry.db and /var/lib/likewise/db/sam.db. Both were labeled as unconfined_u:object_r:likewise_var_lib_t:s0. They should be unconfined_u:object_r:lwregd_var_lib_t:s0 and unconfined_u:object_r:lsassd_var_lib_t:s0 respectively. I ran restorecon on both and have not had any of those type of denials since. So far they have retained their correct context through a reboot, so perhaps it's just something that doesn't work correctly during the installation.
I've attached the remaining AVCs to this message, but since I'm not sure the mailing list will allow that through I'll also paste them in below. I removed duplicates. Also there were a large number of entries where lsassd tried to getattr for many different /proc/xxxx but I only included one. It didn't just try to do that for likewise processes, but every process running at the time (or maybe almost every). I can forward all of those as well if you'd like.
I just noticed that I missed some duplicates. Here is a slightly shorter list. Now I know I can attach them so I won't paste them in again.
On Thu, 2012-02-02 at 18:36 -0500, Maria Iano wrote:
I just noticed that I missed some duplicates. Here is a slightly shorter list. Now I know I can attach them so I won't paste them in again.
Alright. I have cleaned up my policy patch as well. It was very late last night when i did it (or early this morning) There were some dupes, typo's and other issues. Generally it was just a mess.
This is what your mylikewise.te file should look like: (except for the line breaks, that is due to my e-mail client)
policy_module(mylikewise, 1.0.0)
optional_policy(` gen_require(` attribute likewise_domains; type lwiod_t, netlogond_t, netlogond_var_socket_t, likewise_var_lib_t; type lsassd_t, lwsmd_t, netlogond_var_lib_t, likewise_krb5_ad_t, eventlogd_t; ')
stream_connect_pattern(lwiod_t, likewise_var_lib_t, netlogond_var_socket_t, netlogond_t)
kernel_read_system_state(likewise_domains) domain_dontaudit_search_all_domains_state(lsassd_t)
allow lwsmd_t likewise_var_lib_t:file write_file_perms; allow lwsmd_t { netlogond_var_lib_t likewise_krb5_ad_t }:file read_file_perms;
allow eventlogd_t likewise_var_lib_t:file rw_file_perms;
allow lwsmd_t self:process setpgid; allow lwiod_t self:process setrlimit; allow lwiod_t self:capability sys_resource; ')
..
To build it:
make -f /usr/share/selinux/devel/Makefile mylikewise.pp
to install it:
sudo semodule -i mylikewise.pp
On Fri, 2012-02-03 at 10:02 +0100, Dominick Grift wrote:
policy_module(mylikewise, 1.0.0)
optional_policy(` gen_require(` attribute likewise_domains; type lwiod_t, netlogond_t, netlogond_var_socket_t, likewise_var_lib_t; type lsassd_t, lwsmd_t, netlogond_var_lib_t, likewise_krb5_ad_t, eventlogd_t; ')
stream_connect_pattern(lwiod_t, likewise_var_lib_t, netlogond_var_socket_t, netlogond_t)
kernel_read_system_state(likewise_domains) domain_dontaudit_search_all_domains_state(lsassd_t)
allow lwsmd_t likewise_var_lib_t:file write_file_perms; allow lwsmd_t { netlogond_var_lib_t likewise_krb5_ad_t }:file read_file_perms;
allow eventlogd_t likewise_var_lib_t:file rw_file_perms;
allow lwsmd_t self:process setpgid; allow lwiod_t self:process setrlimit; allow lwiod_t self:capability sys_resource; ')
..
To build it:
make -f /usr/share/selinux/devel/Makefile mylikewise.pp
to install it:
sudo semodule -i mylikewise.pp
Actually, i think i figured out why /var/lib/likewise/db/lwi_events.db and /var/lib/likewise/.lwsmd-lock might have been mislabeled.
The "lwi_events.db" has chars that need to be escaped. (either the dot or underscore or both)
The .lwsmd-lock has not file context specification at all currently
Please try the following (watch the line breaks though this e-mail client messes up the lay out):
mylikewise.te:
policy_module(mylikewise, 1.0.0)
optional_policy(` gen_require(` attribute likewise_domains; type lwiod_t, netlogond_t, netlogond_var_socket_t, likewise_var_lib_t; type lsassd_t, lwsmd_t, netlogond_var_lib_t, likewise_krb5_ad_t; ')
stream_connect_pattern(lwiod_t, likewise_var_lib_t, netlogond_var_socket_t, netlogond_t)
kernel_read_system_state(likewise_domains) domain_dontaudit_search_all_domains_state(lsassd_t) allow lwsmd_t { netlogond_var_lib_t likewise_krb5_ad_t }:file read_file_perms;
allow lwsmd_t self:process setpgid; allow lwiod_t self:process setrlimit; allow lwiod_t self:capability sys_resource; ')
mylikewise.fc:
/var/lib/likewise/db/lwi_events.db -- gen_context(system_u:object_r:eventlogd_var_lib_t,s0)
/var/lib/likewise/.lwsmd-lock -- gen_context(system_u:object_r:lwsmd_var_lib_t,s0)
to build:
make -f /usr/share/selinux/devel/Makefile mylikewise.pp
to install
sudo semodule -i mylikewise.pp
restore contexts
restorecon -R -v /var/lib/likewise
See if the two paths above have the right type:
ls -alZ /var/lib/likewise/.lwsmd-lock ls -alZ /var/lib/likewise/db/lwi_events.db
(also see if , when you remove them, they get created with the right type)
If this is fixed then please test the app again. This change may introduce some new AVC denials.
On Feb 3, 2012, at 4:43 AM, Dominick Grift wrote:
On Fri, 2012-02-03 at 10:02 +0100, Dominick Grift wrote:
policy_module(mylikewise, 1.0.0)
optional_policy(` gen_require(` attribute likewise_domains; type lwiod_t, netlogond_t, netlogond_var_socket_t, likewise_var_lib_t; type lsassd_t, lwsmd_t, netlogond_var_lib_t, likewise_krb5_ad_t, eventlogd_t; ')
stream_connect_pattern(lwiod_t, likewise_var_lib_t, netlogond_var_socket_t, netlogond_t)
kernel_read_system_state(likewise_domains) domain_dontaudit_search_all_domains_state(lsassd_t)
allow lwsmd_t likewise_var_lib_t:file write_file_perms; allow lwsmd_t { netlogond_var_lib_t likewise_krb5_ad_t }:file read_file_perms;
allow eventlogd_t likewise_var_lib_t:file rw_file_perms;
allow lwsmd_t self:process setpgid; allow lwiod_t self:process setrlimit; allow lwiod_t self:capability sys_resource; ')
..
To build it:
make -f /usr/share/selinux/devel/Makefile mylikewise.pp
to install it:
sudo semodule -i mylikewise.pp
Actually, i think i figured out why /var/lib/likewise/db/lwi_events.db and /var/lib/likewise/.lwsmd-lock might have been mislabeled.
The "lwi_events.db" has chars that need to be escaped. (either the dot or underscore or both)
The .lwsmd-lock has not file context specification at all currently
Please try the following (watch the line breaks though this e-mail client messes up the lay out):
mylikewise.te:
policy_module(mylikewise, 1.0.0)
optional_policy(` gen_require(` attribute likewise_domains; type lwiod_t, netlogond_t, netlogond_var_socket_t, likewise_var_lib_t; type lsassd_t, lwsmd_t, netlogond_var_lib_t, likewise_krb5_ad_t; ')
stream_connect_pattern(lwiod_t, likewise_var_lib_t, netlogond_var_socket_t, netlogond_t)
kernel_read_system_state(likewise_domains) domain_dontaudit_search_all_domains_state(lsassd_t) allow lwsmd_t { netlogond_var_lib_t likewise_krb5_ad_t }:file read_file_perms;
allow lwsmd_t self:process setpgid; allow lwiod_t self:process setrlimit; allow lwiod_t self:capability sys_resource; ')
mylikewise.fc:
/var/lib/likewise/db/lwi_events.db -- gen_context(system_u:object_r:eventlogd_var_lib_t,s0)
/var/lib/likewise/.lwsmd-lock -- gen_context(system_u:object_r:lwsmd_var_lib_t,s0)
to build:
make -f /usr/share/selinux/devel/Makefile mylikewise.pp
to install
sudo semodule -i mylikewise.pp
restore contexts
restorecon -R -v /var/lib/likewise
See if the two paths above have the right type:
ls -alZ /var/lib/likewise/.lwsmd-lock ls -alZ /var/lib/likewise/db/lwi_events.db
(also see if , when you remove them, they get created with the right type)
If this is fixed then please test the app again. This change may introduce some new AVC denials.
I installed the mylikewise policy. those two files do have the right type now. After I remove them they do get created with the right type.
After installing the new policy there were some additional AVCs. Here they are:
type=AVC msg=audit(1328288896.867:124): avc: denied { name_connect } for pid=1803 comm="eventlogd" dest=135 scontext=system_u:system_r:eventlogd_t:s0 tcontext=system_u:object_r:epmap_port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1328288705.888:70): avc: denied { unlink } for pid=1803 comm="eventlogd" name=".eventlog" dev=dm-0 ino=392489 scontext=system_u:system_r:eventlogd_t:s0 tcontext=system_u:object_r:likewise_var_lib_t:s0 tclass=sock_file
type=AVC msg=audit(1328288542.603:69): avc: denied { write } for pid=1162 comm="lsassd" name=".eventlog" dev=dm-0 ino=392489 scontext=system_u:system_r:lsassd_t:s0 tcontext=system_u:object_r:likewise_var_lib_t:s0 tclass=sock_file
type=AVC msg=audit(1328288896.867:124): avc: denied { name_connect } for pid=1803 comm="eventlogd" dest=135 scontext=system_u:system_r:eventlogd_t:s0 tcontext=system_u:object_r:epmap_port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1328288542.586:68): avc: denied { getattr } for pid=1161 comm="lsassd" path = 2F7661722F6C69622F6C696B65776973652F6B72623563635F6C736173732E55532E41442E47414E4E4554542E434F4D202864656C6574656429 dev=dm-0 ino=394337 scontext=system_u:system_r:lsassd_t:s0 tcontext=system_u:object_r:likewise_var_lib_t:s0 tclass=file
type=AVC msg=audit(1328288542.585:66): avc: denied { read write open } for pid=1161 comm="lsassd" name="krb5cc_lsass.AD.DOMAIN" dev=dm-0 ino=394337 scontext=system_u:system_r:lsassd_t:s0 tcontext=system_u:object_r:likewise_var_lib_t:s0 tclass=file
type=AVC msg=audit(1328288542.586:67): avc: denied { unlink } for pid=1161 comm="lsassd" name="krb5cc_lsass.AD.DOMAIN" dev=dm-0 ino=394337 scontext=system_u:system_r:lsassd_t:s0 tcontext=system_u:object_r:likewise_var_lib_t:s0 tclass=file
type=AVC msg=audit(1328287031.471:5): avc: denied { read } for pid=1165 comm="lsassd" name="lsass-adcache.filedb.AD.DOMAIN" dev=dm-0 ino=395406 scontext=system_u:system_r:lsassd_t:s0 tcontext=system_u:object_r:likewise_var_lib_t:s0 tclass=file
type=AVC msg=audit(1328287031.471:5): avc: denied { open } for pid=1165 comm="lsassd" name="lsass-adcache.filedbAD.DOMAIN" dev=dm-0 ino=395406 scontext=system_u:system_r:lsassd_t:s0 tcontext=system_u:object_r:likewise_var_lib_t:s0 tclass=file
type=AVC msg=audit(1328288893.067:123): avc: denied { unlink } for pid=1849 comm="lsassd" name="lsass-adcache.filedb.AD.DOMAIN" dev=dm-0 ino=395406 scontext=system_u:system_r:lsassd_t:s0 tcontext=system_u:object_r:likewise_var_lib_t:s0 tclass=file
Thank you, Maria
On Fri, 2012-02-03 at 15:41 -0500, Maria Iano wrote:
I installed the mylikewise policy. those two files do have the right type now. After I remove them they do get created with the right type.
After installing the new policy there were some additional AVCs. Here they are:
type=AVC msg=audit(1328288896.867:124): avc: denied { name_connect } for pid=1803 comm="eventlogd" dest=135 scontext=system_u:system_r:eventlogd_t:s0 tcontext=system_u:object_r:epmap_port_t:s0 tclass=tcp_socket
add this to the mylikewise.te file:
corenet_tcp_connect_epmap_port(eventlogd_t)
then just: make -f /usr/share/selinux/devel/Makefile mylikewise.pp; sudo semodule -i mylikewise.pp
type=AVC msg=audit(1328288705.888:70): avc: denied { unlink } for pid=1803 comm="eventlogd" name=".eventlog" dev=dm-0 ino=392489 scontext=system_u:system_r:eventlogd_t:s0 tcontext=system_u:object_r:likewise_var_lib_t:s0 tclass=sock_file
type=AVC msg=audit(1328288542.603:69): avc: denied { write } for pid=1162 comm="lsassd" name=".eventlog" dev=dm-0 ino=392489 scontext=system_u:system_r:lsassd_t:s0 tcontext=system_u:object_r:likewise_var_lib_t:s0 tclass=sock_file
type=AVC msg=audit(1328288542.586:68): avc: denied { getattr } for pid=1161 comm="lsassd" path = 2F7661722F6C69622F6C696B65776973652F6B72623563635F6C736173732E55532E41442E47414E4E4554542E434F4D202864656C6574656429 dev=dm-0 ino=394337 scontext=system_u:system_r:lsassd_t:s0 tcontext=system_u:object_r:likewise_var_lib_t:s0 tclass=file
type=AVC msg=audit(1328288542.585:66): avc: denied { read write open } for pid=1161 comm="lsassd" name="krb5cc_lsass.AD.DOMAIN" dev=dm-0 ino=394337 scontext=system_u:system_r:lsassd_t:s0 tcontext=system_u:object_r:likewise_var_lib_t:s0 tclass=file
type=AVC msg=audit(1328288542.586:67): avc: denied { unlink } for pid=1161 comm="lsassd" name="krb5cc_lsass.AD.DOMAIN" dev=dm-0 ino=394337 scontext=system_u:system_r:lsassd_t:s0 tcontext=system_u:object_r:likewise_var_lib_t:s0 tclass=file
type=AVC msg=audit(1328287031.471:5): avc: denied { read } for pid=1165 comm="lsassd" name="lsass-adcache.filedb.AD.DOMAIN" dev=dm-0 ino=395406 scontext=system_u:system_r:lsassd_t:s0 tcontext=system_u:object_r:likewise_var_lib_t:s0 tclass=file
type=AVC msg=audit(1328287031.471:5): avc: denied { open } for pid=1165 comm="lsassd" name="lsass-adcache.filedbAD.DOMAIN" dev=dm-0 ino=395406 scontext=system_u:system_r:lsassd_t:s0 tcontext=system_u:object_r:likewise_var_lib_t:s0 tclass=file
type=AVC msg=audit(1328288893.067:123): avc: denied { unlink } for pid=1849 comm="lsassd" name="lsass-adcache.filedb.AD.DOMAIN" dev=dm-0 ino=395406 scontext=system_u:system_r:lsassd_t:s0 tcontext=system_u:object_r:likewise_var_lib_t:s0 tclass=file
All of these are somehow wrong. There should be no files or sock files with the generic likewise_var_lib_t. Only some directories.
I wonder how these got created and or labeled this way.
None of the confined likewise processes should be allowed to create these with this type.
The strange thing is that i also do not see any AVC denials of their actual creation.
This leads me to suspect that these are mislabeled left overs. Could i be right?
Thank you, Maria
On Fri, 2012-02-03 at 21:59 +0100, Dominick Grift wrote:
On Fri, 2012-02-03 at 15:41 -0500, Maria Iano wrote:
I installed the mylikewise policy. those two files do have the right type now. After I remove them they do get created with the right type.
After installing the new policy there were some additional AVCs. Here they are:
type=AVC msg=audit(1328288896.867:124): avc: denied { name_connect } for pid=1803 comm="eventlogd" dest=135 scontext=system_u:system_r:eventlogd_t:s0 tcontext=system_u:object_r:epmap_port_t:s0 tclass=tcp_socket
add this to the mylikewise.te file:
corenet_tcp_connect_epmap_port(eventlogd_t)
then just: make -f /usr/share/selinux/devel/Makefile mylikewise.pp; sudo semodule -i mylikewise.pp
type=AVC msg=audit(1328288705.888:70): avc: denied { unlink } for pid=1803 comm="eventlogd" name=".eventlog" dev=dm-0 ino=392489 scontext=system_u:system_r:eventlogd_t:s0 tcontext=system_u:object_r:likewise_var_lib_t:s0 tclass=sock_file
type=AVC msg=audit(1328288542.603:69): avc: denied { write } for pid=1162 comm="lsassd" name=".eventlog" dev=dm-0 ino=392489 scontext=system_u:system_r:lsassd_t:s0 tcontext=system_u:object_r:likewise_var_lib_t:s0 tclass=sock_file
type=AVC msg=audit(1328288542.586:68): avc: denied { getattr } for pid=1161 comm="lsassd" path = 2F7661722F6C69622F6C696B65776973652F6B72623563635F6C736173732E55532E41442E47414E4E4554542E434F4D202864656C6574656429 dev=dm-0 ino=394337 scontext=system_u:system_r:lsassd_t:s0 tcontext=system_u:object_r:likewise_var_lib_t:s0 tclass=file
type=AVC msg=audit(1328288542.585:66): avc: denied { read write open } for pid=1161 comm="lsassd" name="krb5cc_lsass.AD.DOMAIN" dev=dm-0 ino=394337 scontext=system_u:system_r:lsassd_t:s0 tcontext=system_u:object_r:likewise_var_lib_t:s0 tclass=file
type=AVC msg=audit(1328288542.586:67): avc: denied { unlink } for pid=1161 comm="lsassd" name="krb5cc_lsass.AD.DOMAIN" dev=dm-0 ino=394337 scontext=system_u:system_r:lsassd_t:s0 tcontext=system_u:object_r:likewise_var_lib_t:s0 tclass=file
type=AVC msg=audit(1328287031.471:5): avc: denied { read } for pid=1165 comm="lsassd" name="lsass-adcache.filedb.AD.DOMAIN" dev=dm-0 ino=395406 scontext=system_u:system_r:lsassd_t:s0 tcontext=system_u:object_r:likewise_var_lib_t:s0 tclass=file
type=AVC msg=audit(1328287031.471:5): avc: denied { open } for pid=1165 comm="lsassd" name="lsass-adcache.filedbAD.DOMAIN" dev=dm-0 ino=395406 scontext=system_u:system_r:lsassd_t:s0 tcontext=system_u:object_r:likewise_var_lib_t:s0 tclass=file
type=AVC msg=audit(1328288893.067:123): avc: denied { unlink } for pid=1849 comm="lsassd" name="lsass-adcache.filedb.AD.DOMAIN" dev=dm-0 ino=395406 scontext=system_u:system_r:lsassd_t:s0 tcontext=system_u:object_r:likewise_var_lib_t:s0 tclass=file
All of these are somehow wrong. There should be no files or sock files with the generic likewise_var_lib_t. Only some directories.
I wonder how these got created and or labeled this way.
None of the confined likewise processes should be allowed to create these with this type.
The strange thing is that i also do not see any AVC denials of their actual creation.
This leads me to suspect that these are mislabeled left overs. Could i be right?
It is still a bug though because there are no file contexts specified for these files and so we should specify them.
It means we need the actual full paths of the files.
example;
.eventlog find /var/lib -inum 392489 find /var/lib -inum 394337 find /var/lib -inum 395406
it is important that all files have the proper file context specification so that if for some reason the file system needs to be relabeled the files will still have the proper type to avoid breakage like we witnessed above.
Thank you, Maria
On Feb 3, 2012, at 4:08 PM, Dominick Grift wrote:
On Fri, 2012-02-03 at 21:59 +0100, Dominick Grift wrote:
On Fri, 2012-02-03 at 15:41 -0500, Maria Iano wrote:
I installed the mylikewise policy. those two files do have the right type now. After I remove them they do get created with the right type.
After installing the new policy there were some additional AVCs. Here they are:
type=AVC msg=audit(1328288896.867:124): avc: denied { name_connect } for pid=1803 comm="eventlogd" dest=135 scontext=system_u:system_r:eventlogd_t:s0 tcontext=system_u:object_r:epmap_port_t:s0 tclass=tcp_socket
add this to the mylikewise.te file:
corenet_tcp_connect_epmap_port(eventlogd_t)
then just: make -f /usr/share/selinux/devel/Makefile mylikewise.pp; sudo semodule -i mylikewise.pp
type=AVC msg=audit(1328288705.888:70): avc: denied { unlink } for pid=1803 comm="eventlogd" name=".eventlog" dev=dm-0 ino=392489 scontext=system_u:system_r:eventlogd_t:s0 tcontext=system_u:object_r:likewise_var_lib_t:s0 tclass=sock_file
type=AVC msg=audit(1328288542.603:69): avc: denied { write } for pid=1162 comm="lsassd" name=".eventlog" dev=dm-0 ino=392489 scontext=system_u:system_r:lsassd_t:s0 tcontext=system_u:object_r:likewise_var_lib_t:s0 tclass=sock_file
type=AVC msg=audit(1328288542.586:68): avc: denied { getattr } for pid=1161 comm="lsassd" path = 2F7661722F6C69622F6C696B65776973652F6B72623563635F6C736173732E55532E41442E47414E4E4554542E434F4D202864656C6574656429 dev=dm-0 ino=394337 scontext=system_u:system_r:lsassd_t:s0 tcontext=system_u:object_r:likewise_var_lib_t:s0 tclass=file
type=AVC msg=audit(1328288542.585:66): avc: denied { read write open } for pid=1161 comm="lsassd" name="krb5cc_lsass.AD.DOMAIN" dev=dm-0 ino=394337 scontext=system_u:system_r:lsassd_t:s0 tcontext=system_u:object_r:likewise_var_lib_t:s0 tclass=file
type=AVC msg=audit(1328288542.586:67): avc: denied { unlink } for pid=1161 comm="lsassd" name="krb5cc_lsass.AD.DOMAIN" dev=dm-0 ino=394337 scontext=system_u:system_r:lsassd_t:s0 tcontext=system_u:object_r:likewise_var_lib_t:s0 tclass=file
type=AVC msg=audit(1328287031.471:5): avc: denied { read } for pid=1165 comm="lsassd" name="lsass-adcache.filedb.AD.DOMAIN" dev=dm-0 ino=395406 scontext=system_u:system_r:lsassd_t:s0 tcontext=system_u:object_r:likewise_var_lib_t:s0 tclass=file
type=AVC msg=audit(1328287031.471:5): avc: denied { open } for pid=1165 comm="lsassd" name="lsass-adcache.filedbAD.DOMAIN" dev=dm-0 ino=395406 scontext=system_u:system_r:lsassd_t:s0 tcontext=system_u:object_r:likewise_var_lib_t:s0 tclass=file
type=AVC msg=audit(1328288893.067:123): avc: denied { unlink } for pid=1849 comm="lsassd" name="lsass-adcache.filedb.AD.DOMAIN" dev=dm-0 ino=395406 scontext=system_u:system_r:lsassd_t:s0 tcontext=system_u:object_r:likewise_var_lib_t:s0 tclass=file
All of these are somehow wrong. There should be no files or sock files with the generic likewise_var_lib_t. Only some directories.
I wonder how these got created and or labeled this way.
None of the confined likewise processes should be allowed to create these with this type.
The strange thing is that i also do not see any AVC denials of their actual creation.
This leads me to suspect that these are mislabeled left overs. Could i be right?
It is still a bug though because there are no file contexts specified for these files and so we should specify them.
It means we need the actual full paths of the files.
example;
.eventlog find /var/lib -inum 392489 find /var/lib -inum 394337 find /var/lib -inum 395406
it is important that all files have the proper file context
Those files are /var/lib/likewise/.eventlog /var/lib/likewise/krb5cc_lsass.AD.DOMAIN /var/lib/likewise/db/lsass-adcache.filedb.AD.DOMAIN
What happened was that I ran restorecon on them after they had been created but before those AVCs. I added these rules to the fc file:
/var/lib/likewise/.eventlog -s gen_context(system_u:object_r:eventlogd_var_socket_t,s0) /var/lib/likewise/krb5cc_lsass..* -- gen_context(system_u:object_r:lsassd_var_lib_t, s0) /var/lib/likewise/db/lsass-adcache.filedb..* -- gen_context(system_u:object_r:lsassd_var_lib_t,s0)
and matchpathcon gives the correct type for them now.
I haven't had any new AVC messages since those last changes.
On Fri, 2012-02-03 at 21:41 -0500, Maria Iano wrote:
Those files are /var/lib/likewise/.eventlog /var/lib/likewise/krb5cc_lsass.AD.DOMAIN /var/lib/likewise/db/lsass-adcache.filedb.AD.DOMAIN
What happened was that I ran restorecon on them after they had been created but before those AVCs. I added these rules to the fc file:
/var/lib/likewise/.eventlog -s gen_context(system_u:object_r:eventlogd_var_socket_t,s0) /var/lib/likewise/krb5cc_lsass..* -- gen_context(system_u:object_r:lsassd_var_lib_t, s0) /var/lib/likewise/db/lsass-adcache.filedb..* -- gen_context(system_u:object_r:lsassd_var_lib_t,s0)
and matchpathcon gives the correct type for them now.
I haven't had any new AVC messages since those last changes.
Thanks. Attached patch is what i think might be the proper fixes for upstream.
On Feb 4, 2012, at 3:56 AM, Dominick Grift wrote:
On Fri, 2012-02-03 at 21:41 -0500, Maria Iano wrote:
Those files are /var/lib/likewise/.eventlog /var/lib/likewise/krb5cc_lsass.AD.DOMAIN /var/lib/likewise/db/lsass-adcache.filedb.AD.DOMAIN
What happened was that I ran restorecon on them after they had been created but before those AVCs. I added these rules to the fc file:
/var/lib/likewise/.eventlog -s gen_context(system_u:object_r:eventlogd_var_socket_t,s0) /var/lib/likewise/krb5cc_lsass..* -- gen_context(system_u:object_r:lsassd_var_lib_t, s0) /var/lib/likewise/db/lsass-adcache.filedb..* -- gen_context(system_u:object_r:lsassd_var_lib_t,s0)
and matchpathcon gives the correct type for them now.
I haven't had any new AVC messages since those last changes.
Thanks. Attached patch is what i think might be the proper fixes for upstream.
<Likewise.patch>
Some of the additional file contexts were missing. I've added them to the patch file. I've also attached my te and fc files. Please note, my new diff compared directory trees that were different from yours. Here a line from the updated patch that shows what I'm talking about:
diff --git a/current/policy/modules/services/likewise.fc b/new/policy/ modules/services/likewise.fc
Thanks! Maria
On Sat, 2012-02-04 at 11:01 -0500, Maria Iano wrote:
Some of the additional file contexts were missing. I've added them to the patch file. I've also attached my te and fc files. Please note, my new diff compared directory trees that were different from yours. Here a line from the updated patch that shows what I'm talking about:
diff --git a/current/policy/modules/services/likewise.fc b/new/policy/ modules/services/likewise.fc
Thanks! Maria
Yes i see some minor differences, for example you have a likewise init script and have the ps store lock file in /var/lib rather than /etc.
There was another change that i suggested with regard to escaped characters but after thinking about that i do not think that was needed after all (i was confused about the path differences)
Attached is a modified patch:
I would like a Fedora maintainer to have a look (ACK) at it before i consider to commit this to the git repository. I am especially unsure about entries like these i added:
/var/lib/likewise(-open)?(/.*)? gen_context(system_u:object_r:likewise_var_lib_t,s0)
Not sure if those regular expressions will work.
Also i think it would be even better if someone could test this once more from scratch (e.g. with a totally clean /var/lib) to see whether all objects are created with the proper types.
And then also to see whether all file context specifications are proper now.
Thanks for your help
On Feb 4, 2012, at 1:11 PM, Dominick Grift wrote:
On Sat, 2012-02-04 at 11:01 -0500, Maria Iano wrote:
Some of the additional file contexts were missing. I've added them to the patch file. I've also attached my te and fc files. Please note, my new diff compared directory trees that were different from yours. Here a line from the updated patch that shows what I'm talking about:
diff --git a/current/policy/modules/services/likewise.fc b/new/ policy/ modules/services/likewise.fc
Thanks! Maria
Yes i see some minor differences, for example you have a likewise init script and have the ps store lock file in /var/lib rather than /etc.
There was another change that i suggested with regard to escaped characters but after thinking about that i do not think that was needed after all (i was confused about the path differences)
Attached is a modified patch:
I would like a Fedora maintainer to have a look (ACK) at it before i consider to commit this to the git repository. I am especially unsure about entries like these i added:
/var/lib/likewise(-open)?(/.*)? gen_context(system_u:object_r:likewise_var_lib_t,s0)
Not sure if those regular expressions will work.
Also i think it would be even better if someone could test this once more from scratch (e.g. with a totally clean /var/lib) to see whether all objects are created with the proper types.
And then also to see whether all file context specifications are proper now.
Thanks for your help
<Likewise-redone.patch>
I could completely remove likewise and then install it again if that would be a useful test.
Thank you very much - the new policy has continued to work for my server thus far - I have had no AVC messages!
Maria
On Wed, 2012-02-08 at 16:33 -0500, Maria Iano wrote:
I could completely remove likewise and then install it again if that would be a useful test.
Thank you very much - the new policy has continued to work for my server thus far - I have had no AVC messages!
Maria
Maria, that would indeed be useful as that would be a confirmation that the modifications work and are sufficient.
mylikewise.fc:
/var/lib/likewise/db/lwi_events.db -- gen_context(system_u:object_r:eventlogd_var_lib_t,s0)
/var/lib/likewise/.lwsmd-lock -- gen_context(system_u:object_r:lwsmd_var_lib_t,s0)
Hi there,
[I tried to post this via gmane about 30 minutes ago but it never showed up - I did take some time composing the first time, so I am trying again.]
I am new on this list (and pretty new to SELinux), but was just trying to get Likewise Open 6.1 and SELinux to play well together on RHEL 6.1 and found this excellent thread. Most of the denials I had noticed were on the /var/lib/likewise/.lsassd socket.
To start with, I've run "sudo semanage -i likewise-cmds", where likewise-cmds contains the following (based on what I found in the likewise.fc from git as well as Dominick's notes above -- replacing /usr/sbin with /opt/likewise/sbin, and all instances of "likewise-open" with "likewise"):
fcontext -a -t likewise_var_lib_t "/var/lib/likewise(/.*)?" fcontext -a -t lsassd_var_socket_t /var/lib/likewise/.lsassd fcontext -a -t lwiod_var_socket_t /var/lib/likewise/.lwiod fcontext -a -t lwsmd_var_socket_t /var/lib/likewise/.lwsm fcontext -a -t lwsmd_var_lib_t /var/lib/likewise/.lwsmd-lock fcontext -a -t lwregd_var_socket_t /var/lib/likewise/.regsd fcontext -a -t netlogond_var_socket_t /var/lib/likewise/.netlogond fcontext -a -t lsassd_var_socket_t /var/lib/likewise/.ntlmd fcontext -a -t netlogond_var_lib_t /var/lib/likewise/krb5-affinity.conf fcontext -a -t lsassd_var_lib_t "/var/lib/likewise/krb5cc_lsass(.*)?" fcontext -a -t eventlogd_var_lib_t /var/lib/likewise/db/lwi_events.db fcontext -a -t lsassd_var_lib_t /var/lib/likewise/db/sam.db fcontext -a -t lsassd_var_lib_t "/var/lib/likewise/db/lsass-adcache.filedb. (.*)?" fcontext -a -t lwregd_var_lib_t /var/lib/likewise/db/registry.db fcontext -a -t lsassd_var_socket_t /var/lib/likewise/rpc/lsass fcontext -a -t likewise_krb5_ad_t /etc/likewise/likewise-krb5-ad.conf fcontext -a -t likewise_etc_t "/etc/likewise(/.*)?" fcontext -a -t dcerpcd_exec_t /opt/likewise/sbin/dcerpcd fcontext -a -t eventlogd_exec_t /opt/likewise/sbin/eventlogd fcontext -a -t lsassd_exec_t /opt/likewise/sbin/lsassd fcontext -a -t lwiod_exec_t /opt/likewise/sbin/lwiod fcontext -a -t lwregd_exec_t /opt/likewise/sbin/lwregd fcontext -a -t lwsmd_exec_t /opt/likewise/sbin/lwsmd fcontext -a -t netlogond_exec_t /opt/likewise/sbin/netlogond
I added some wildcards in there because some of the files get created with the Active Directory domain name appended to them, namely:
/var/lib/likewise/krb5cc_lsass.MYDOMAIN.NET /var/lib/likewise/db/lsass-adcache.filedb.MYDOMAIN.NET
After running "restorecon -R -F -v" on all those directories and rebooting, I just got these denials:
type=AVC msg=audit(02/07/2012 21:55:59.592:23979) : avc: denied { open } for pid=1671 comm=lsassd name=krb5cc_1040237070 dev=dm-4 ino=17 scontext=system_u:system_r:lsassd_t:s0 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=file type=AVC msg=audit(02/07/2012 21:55:59.592:23979) : avc: denied { read } for pid=1671 comm=lsassd name=krb5cc_1040237070 dev=dm-4 ino=17 scontext=system_u:system_r:lsassd_t:s0 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=file type=AVC msg=audit(02/07/2012 21:55:59.600:23980) : avc: denied { lock } for pid=1671 comm=lsassd path=/tmp/krb5cc_1040237070 dev=dm-4 ino=17 scontext=system_u:system_r:lsassd_t:s0 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=file type=AVC msg=audit(02/07/2012 21:55:59.609:23981) : avc: denied { unlink } for pid=1671 comm=lsassd name=krb5cc_1040237070 dev=dm-4 ino=17 scontext=system_u:system_r:lsassd_t:s0 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=file
There were also a bunch of getattr denials on stuff in /proc. Those files in /tmp are owned by me, apparently created when I logged in. They might have been left over from before. Otherwise, everything looks good so far.
I haven't tried building the additional "mylikewise" policy yet, but I can do that next. I can also start over on a fresh box if that would be helpful.
Thanks, Christina
On Tue, 2012-02-07 at 22:39 +0000, Christina Plummer wrote:
Hi there,
Hi
To start with, I've run "sudo semanage -i likewise-cmds", where likewise-cmds contains the following (based on what I found in the likewise.fc from git as well as Dominick's notes above -- replacing /usr/sbin with /opt/likewise/sbin, and all instances of "likewise-open" with "likewise"):
fcontext -a -t likewise_var_lib_t "/var/lib/likewise(/.*)?" fcontext -a -t lsassd_var_socket_t /var/lib/likewise/.lsassd fcontext -a -t lwiod_var_socket_t /var/lib/likewise/.lwiod fcontext -a -t lwsmd_var_socket_t /var/lib/likewise/.lwsm fcontext -a -t lwsmd_var_lib_t /var/lib/likewise/.lwsmd-lock fcontext -a -t lwregd_var_socket_t /var/lib/likewise/.regsd fcontext -a -t netlogond_var_socket_t /var/lib/likewise/.netlogond fcontext -a -t lsassd_var_socket_t /var/lib/likewise/.ntlmd fcontext -a -t netlogond_var_lib_t /var/lib/likewise/krb5-affinity.conf fcontext -a -t lsassd_var_lib_t "/var/lib/likewise/krb5cc_lsass(.*)?" fcontext -a -t eventlogd_var_lib_t /var/lib/likewise/db/lwi_events.db fcontext -a -t lsassd_var_lib_t /var/lib/likewise/db/sam.db fcontext -a -t lsassd_var_lib_t "/var/lib/likewise/db/lsass-adcache.filedb. (.*)?" fcontext -a -t lwregd_var_lib_t /var/lib/likewise/db/registry.db fcontext -a -t lsassd_var_socket_t /var/lib/likewise/rpc/lsass fcontext -a -t likewise_krb5_ad_t /etc/likewise/likewise-krb5-ad.conf fcontext -a -t likewise_etc_t "/etc/likewise(/.*)?" fcontext -a -t dcerpcd_exec_t /opt/likewise/sbin/dcerpcd fcontext -a -t eventlogd_exec_t /opt/likewise/sbin/eventlogd fcontext -a -t lsassd_exec_t /opt/likewise/sbin/lsassd fcontext -a -t lwiod_exec_t /opt/likewise/sbin/lwiod fcontext -a -t lwregd_exec_t /opt/likewise/sbin/lwregd fcontext -a -t lwsmd_exec_t /opt/likewise/sbin/lwsmd fcontext -a -t netlogond_exec_t /opt/likewise/sbin/netlogond
A lot of the above file context specifications are wrong because you have not specified what classof object it is for.
The -f option allows you to specify what type of object the specificationis for
example -f -- is a file, -f -d is a dir, -f -s is a sock file (those are the most common objects but there are also character, block,fifo and link files.
I added some wildcards in there because some of the files get created with the Active Directory domain name appended to them, namely:
/var/lib/likewise/krb5cc_lsass.MYDOMAIN.NET /var/lib/likewise/db/lsass-adcache.filedb.MYDOMAIN.NET
Yes that is good. Just append .* to the file name or so.
After running "restorecon -R -F -v" on all those directories and rebooting, I just got these denials:
type=AVC msg=audit(02/07/2012 21:55:59.592:23979) : avc: denied { open } for pid=1671 comm=lsassd name=krb5cc_1040237070 dev=dm-4 ino=17 scontext=system_u:system_r:lsassd_t:s0 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=file
Looks like a init script (or a process running in the init script domain) created a file with name krb5cc_1040237070 in /tmp (inode 17 on device dm-4 to be exact)
/tmp should not be used by system wide services. I am not sure where and if you can configure whatever created that file and tell it to use a proper place like /var/lib/$APP but if possible then that is best
Also you should figure out what created this (was it some init script?). It might be that some process was running in the init script domain due to a mislabeled executable file (ps auxZ | grep initrc_t)
type=AVC msg=audit(02/07/2012 21:55:59.592:23979) : avc: denied { read } for pid=1671 comm=lsassd name=krb5cc_1040237070 dev=dm-4 ino=17 scontext=system_u:system_r:lsassd_t:s0 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=file type=AVC msg=audit(02/07/2012 21:55:59.600:23980) : avc: denied { lock } for pid=1671 comm=lsassd path=/tmp/krb5cc_1040237070 dev=dm-4 ino=17 scontext=system_u:system_r:lsassd_t:s0 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=file type=AVC msg=audit(02/07/2012 21:55:59.609:23981) : avc: denied { unlink } for pid=1671 comm=lsassd name=krb5cc_1040237070 dev=dm-4 ino=17 scontext=system_u:system_r:lsassd_t:s0 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=file
There were also a bunch of getattr denials on stuff in /proc.
Yes i know.
Those files in /tmp are owned by me, apparently created when I logged in. They might have been left over from before. Otherwise, everything looks good so far.
I haven't tried building the additional "mylikewise" policy yet, but I can do that next. I can also start over on a fresh box if that would be helpful.
I can create a loadable module based off of the patch that i will attach below that will take care of the file context specs as well as the additional policy you might need to get this to work.
Would be great if you could apply that and see if that works for you.
Unfortunately it is a bit late currently here and i need my rest now but i will work tomorrow on the loadable policy module and send it to the list. So you should be able to apply it tomorrow.
Thanks, Christina
Thank you
On Wed, 2012-02-08 at 00:09 +0100, Dominick Grift wrote:
type=AVC msg=audit(02/07/2012 21:55:59.592:23979) : avc: denied { open } for pid=1671 comm=lsassd name=krb5cc_1040237070 dev=dm-4 ino=17 scontext=system_u:system_r:lsassd_t:s0 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=file
Looks like a init script (or a process running in the init script domain) created a file with name krb5cc_1040237070 in /tmp (inode 17 on device dm-4 to be exact)
/tmp should not be used by system wide services. I am not sure where and if you can configure whatever created that file and tell it to use a proper place like /var/lib/$APP but if possible then that is best
Also you should figure out what created this (was it some init script?). It might be that some process was running in the init script domain due to a mislabeled executable file (ps auxZ | grep initrc_t)
I am actually pretty sure it was created by either lsassd or maybe but less likely the lsassd init script (or the main likewise init script if you do not have a separate lsassd init script). May also be a left over from earlier before you applied the proper file contexts (that is actually what i suspect)
type=AVC msg=audit(02/07/2012 21:55:59.592:23979) : avc: denied { read } for pid=1671 comm=lsassd name=krb5cc_1040237070 dev=dm-4 ino=17 scontext=system_u:system_r:lsassd_t:s0 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=file type=AVC msg=audit(02/07/2012 21:55:59.600:23980) : avc: denied { lock } for pid=1671 comm=lsassd path=/tmp/krb5cc_1040237070 dev=dm-4 ino=17 scontext=system_u:system_r:lsassd_t:s0 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=file type=AVC msg=audit(02/07/2012 21:55:59.609:23981) : avc: denied { unlink } for pid=1671 comm=lsassd name=krb5cc_1040237070 dev=dm-4 ino=17 scontext=system_u:system_r:lsassd_t:s0 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=file
Also you should figure out what created this (was it some init script?). It might be that some process was running in the init script domain due to a mislabeled executable file (ps auxZ | grep initrc_t)
I am actually pretty sure it was created by either lsassd or maybe but less likely the lsassd init script (or the main likewise init script if you do not have a separate lsassd init script). May also be a left over from earlier before you applied the proper file contexts (that is actually what i suspect)
Yes, it is created by lsassd, and I think it was leftover from before. The number in the filename is my uid - the files are owned by me. I logged out, I removed both files as root, and then when I next logged in as myself, a new file was created as such:
system_u:object_r:user_tmp_t:s0 krb5cc_1040237070_CeTgk16875
When I logged back out, it looks like it was renamed by lsassd:
system_u:object_r:lsassd_tmp_t:s0 krb5cc_1040237070
When I logged in again, a new file with a random string appended was created with user_tmp_t context. I repeated the whole experiment, and the file without the random string appended never re-appeared. So, I'm not entirely sure what it's doing (something with Kerberos tickets :) - it did grow in size when I SSHed to another box), but I haven't seen any AVC messages about it since that first time.
On Wed, 2012-02-08 at 09:44 -0500, Christina Plummer wrote:
Yes, it is created by lsassd, and I think it was leftover from before. The number in the filename is my uid - the files are owned by me. I logged out, I removed both files as root, and then when I next logged in as myself, a new file was created as such:
system_u:object_r:user_tmp_t:s0 krb5cc_1040237070_CeTgk16875
When I logged back out, it looks like it was renamed by lsassd:
system_u:object_r:lsassd_tmp_t:s0 krb5cc_1040237070
When I logged in again, a new file with a random string appended was created with user_tmp_t context. I repeated the whole experiment, and the file without the random string appended never re-appeared. So, I'm not entirely sure what it's doing (something with Kerberos tickets :) - it did grow in size when I SSHed to another box), but I haven't seen any AVC messages about it since that first time.
Right, type lsassd_tmp_t looks good.
I said before that lsassd shouldnt be creating files in /tmp but i think there is probably a valid reason for this one so ignore that.
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
On Tue, 2012-02-07 at 22:39 +0000, Christina Plummer wrote:
< snip>
Attached you will find the mylikewise1 policy source module. This should take care of both file context specs as well as known policy that is additionally needed.
Please first remove the file context specs that you have added manually with semanage earlier.
To build:
make -f /usr/share/selinux/devel/Makefile mylikewise1.pp
To install:
sudo semodule -i mylikewise1.pp
To apply file context specs:
restorecon -v /etc/rc.d/init.d/likewise restorecon -R -v /var/lib/likewise restorecon -R -v /opt/likewise/sbin
2012/2/7 Dominick Grift dominick.grift@gmail.com
Attached you will find the mylikewise1 policy source module. This should take care of both file context specs as well as known policy that is additionally needed.
Please first remove the file context specs that you have added manually with semanage earlier.
Thanks! I made a couple slight modifications to add back in the /etc/likewise lines (since, after I removed my fcontext specs and ran restorecon on all the affected directories, /etc/likewise ended up as "etc_t" instead of "likewise_etc_t"), to escape a period and to unescape the underscore (since it didn't seem to be necessary and I like consistency). See attached
So far, so good.
On Thu, 2012-02-02 at 17:58 -0500, Maria Iano wrote:
Alright let's walk through this: ( A few rules may be duplicate rules, there might also be some typo's )
mkdir ~/mylikewise; cd ~/mylikewise; echo "policy_module(mylikewise, 1.0.0)" > mylikewise.te;
Here is the list:
type=AVC msg=audit(1328198424.686:20): avc: denied { write } for pid=1165 comm="lwiod" name=".netlogond" dev=dm-0 ino=393091 scontext=system_u:system_r:lwiod_t:s0 tcontext=system_u:object_r:netlogond_var_socket_t:s0 tclass=sock_file
type=AVC msg=audit(1328198424.686:20): avc: denied { connectto } for pid=1165 comm="lwiod" path="/var/lib/likewise/.netlogond" scontext=system_u:system_r:lwiod_t:s0 tcontext=system_u:system_r:netlogond_t:s0 tclass=unix_stream_socket
echo "optional_policy(` gen_require(` type lwiod_t, netlogond_t, netlogond_var_socket_t, likewise_var_lib_t; ') stream_connect_pattern(lwiod_t, likewise_var_lib_t, netlogond_var_socket_t, netlogond_t)')" >> mylikewise.te;
type=AVC msg=audit(1328203534.556:16): avc: denied { getattr } for pid=1141 comm="lwsmd" path="/etc/likewise/likewise-krb5-ad.conf" dev=dm-0 ino=786321 scontext=system_u:system_r:lwsmd_t:s0 tcontext=system_u:object_r:likewise_krb5_ad_t:s0 tclass=file
type=AVC msg=audit(1328203534.536:14): avc: denied { getattr } for pid=1141 comm="lwsmd" path="/var/lib/likewise/krb5-affinity.conf" dev=dm-0 ino=395410 scontext=system_u:system_r:lwsmd_t:s0 tcontext=system_u:object_r:netlogond_var_lib_t:s0 tclass=file
echo "optional_policy(` gen_require(` type lwsmd_t, netlogond_var_lib_t, likewise_krb5_ad_t; ') allow lwsmd_t { netlogond_var_lib_t likewise_krb5_ad_t }:file getattr_file_perms; ')"
mylikewise.te;
type=AVC msg=audit(1328203534.221:9): avc: denied { getattr } for pid=1143 comm="eventlogd" path="/var/lib/likewise/db/lwi_events.db" dev=dm-0 ino=395386 scontext=system_u:system_r:eventlogd_t:s0 tcontext=unconfined_u:object_r:likewise_var_lib_t:s0 tclass=file
!!!! Something wrong here this file should have been created with type eventlogd_var_lib_t
echo "optional_policy(` gen_require(` type eventlogd_t, likewise_var_lib_t; ') allow eventlogd_t likewise_var_lib_t:file getattr_file_perms; ')" >> mylikewise.te;
type=AVC msg=audit(1328200531.030:128): avc: denied { getattr } for pid=1486 comm="lsassd" path="/proc/1043" dev=proc ino=10798 scontext=system_u:system_r:lsassd_t:s0 tcontext=system_u:system_r:auditd_t:s0 tclass=dir
echo "optional_policy(` gen_require(` type lsassd_t; ') domain_dontaudit_search_all_domains_state(lsassd_t)')" >> mylikewise.te;
type=AVC msg=audit(1328198423.037:5): avc: denied { lock } for pid=1108 comm="lwsmd" path="/var/lib/likewise/.lwsmd-lock" dev=dm-0 ino=395380 scontext=system_u:system_r:lwsmd_t:s0 tcontext=unconfined_u:object_r:likewise_var_lib_t:s0 tclass=file
??? i was expecting a private type for .lwsmd-lock.
echo "optional_policy(` gen_require(` type lwsmd_t, likewise_var_lib_t; ') allow lwsmd_t likewise_var_lib_t:file lock;')" >> mylikewise.te;
type=AVC msg=audit(1328198424.260:19): avc: denied { lock } for pid=1151 comm="eventlogd" path="/var/lib/likewise/db/lwi_events.db" dev=dm-0 ino=395386 scontext=system_u:system_r:eventlogd_t:s0 tcontext=unconfined_u:object_r:likewise_var_lib_t:s0 tclass=file
!!! something is wrong here, this file should have been created with type eventlogd_var_lib_t
echo "optional_policy(` gen_require(` type eventlogd_t, likewise_var_lib_t; ') allow eventlogd_t likewise_var_lib_t:file lock; ')" >> mylikewise.te;
type=AVC msg=audit(1328198423.032:4): avc: denied { write } for pid=1108 comm="lwsmd" name=".lwsmd-lock" dev=dm-0 ino=395380 scontext=system_u:system_r:lwsmd_t:s0 tcontext=unconfined_u:object_r:likewise_var_lib_t:s0 tclass=file type=AVC msg=audit(1328198423.032:4): avc: denied { open } for pid=1108 comm="lwsmd" name=".lwsmd-lock" dev=dm-0 ino=395380 scontext=system_u:system_r:lwsmd_t:s0 tcontext=unconfined_u:object_r:likewise_var_lib_t:s0 tclass=file
??? i was expecting a private type for this file
echo "optional_policy(` gen_require(` type lwsmd_t, likewise_var_lib_t; ') allow lwsmd_t likewise_var_lib_t:file write_file_perms; ')" >> mylikewise.te
type=AVC msg=audit(1328198423.043:6): avc: denied { read } for pid=1108 comm="lwsmd" name="stat" dev=proc ino=4026532032 scontext=system_u:system_r:lwsmd_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file type=AVC msg=audit(1328198423.043:6): avc: denied { open } for pid=1108 comm="lwsmd" name="stat" dev=proc ino=4026532032 scontext=system_u:system_r:lwsmd_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file
echo "optional_policy(` gen_require(` type lwsmd_t; ') kernel_read_system_state(lwsmd_t)')" >> mylikewise.te;
type=AVC msg=audit(1328198423.343:8): avc: denied { read } for pid=1112 comm="lwregd" name="stat" dev=proc ino=4026532032 scontext=system_u:system_r:lwregd_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file type=AVC msg=audit(1328198423.343:8): avc: denied { open } for pid=1112 comm="lwregd" name="stat" dev=proc ino=4026532032 scontext=system_u:system_r:lwregd_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file
echo "optional_policy(` gen_require(` type lwregd_t; ') kernel_read_system_state(lwregd_t)')" >> mylikewise.te;
type=AVC msg=audit(1328203534.538:15): avc: denied { read } for pid=1141 comm="lwsmd" name="krb5-affinity.conf" dev=dm-0 ino=395410 scontext=system_u:system_r:lwsmd_t:s0 tcontext=system_u:object_r:netlogond_var_lib_t:s0 tclass=file type=AVC msg=audit(1328203534.538:15): avc: denied { open } for pid=1141 comm="lwsmd" name="krb5-affinity.conf" dev=dm-0 ino=395410 scontext=system_u:system_r:lwsmd_t:s0 tcontext=system_u:object_r:netlogond_var_lib_t:s0 tclass=file
type=AVC msg=audit(1328203534.557:17): avc: denied { read } for pid=1141 comm="lwsmd" name="likewise-krb5-ad.conf" dev=dm-0 ino=786321 scontext=system_u:system_r:lwsmd_t:s0 tcontext=system_u:object_r:likewise_krb5_ad_t:s0 tclass=file type=AVC msg=audit(1328203534.557:17): avc: denied { open } for pid=1141 comm="lwsmd" name="likewise-krb5-ad.conf" dev=dm-0 ino=786321 scontext=system_u:system_r:lwsmd_t:s0 tcontext=system_u:object_r:likewise_krb5_ad_t:s0 tclass=file
echo "optional_policy(` gen_require(` type lwsmd_t, netlogond_var_lib_t, likewise_krb5_ad_t; ') allow lwsmd_t { netlogond_var_lib_t likewise_krb5_ad_t }:file read_file_perms; ')" >> mylikewise.te;
type=AVC msg=audit(1328203534.223:10): avc: denied { read } for pid=1143 comm="eventlogd" name="stat" dev=proc ino=4026532032 scontext=system_u:system_r:eventlogd_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file type=AVC msg=audit(1328203534.223:10): avc: denied { open } for pid=1143 comm="eventlogd" name="stat" dev=proc ino=4026532032 scontext=system_u:system_r:eventlogd_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file
echo "optional_policy(` gen_require(` type eventlogd_t; ') kernel_read_system_state(eventlogd_t)')" >> mylikewise.te;
type=AVC msg=audit(1328203534.286:11): avc: denied { read } for pid=1150 comm="netlogond" name="stat" dev=proc ino=4026532032 scontext=system_u:system_r:netlogond_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file type=AVC msg=audit(1328203534.286:11): avc: denied { open } for pid=1150 comm="netlogond" name="stat" dev=proc ino=4026532032 scontext=system_u:system_r:netlogond_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file
echo "optional_policy(` gen_require(` type netlogond_t; ') kernel_read_system_state(netlogond_t)')" >> mylikewise.te;
type=AVC msg=audit(1328198424.259:18): avc: denied { read write } for pid=1151 comm="eventlogd" name="lwi_events.db" dev=dm-0 ino=395386 scontext=system_u:system_r:eventlogd_t:s0 tcontext=unconfined_u:object_r:likewise_var_lib_t:s0 tclass=file type=AVC msg=audit(1328198424.259:18): avc: denied { open } for pid=1151 comm="eventlogd" name="lwi_events.db" dev=dm-0 ino=395386 scontext=system_u:system_r:eventlogd_t:s0 tcontext=unconfined_u:object_r:likewise_var_lib_t:s0 tclass=file
mislabeled: should by eventlogd_var_lib_t
echo "optional_policy(` gen_require(` type eventlogd_t, likewise_var_lib_t; ') allow eventlogd_t likewise_var_lib_t:file rw_file_perms; ')" >> mylikewise.te;
type=AVC msg=audit(1328198423.936:12): avc: denied { read } for pid=1164 comm="lwiod" name="stat" dev=proc ino=4026532032 scontext=system_u:system_r:lwiod_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file type=AVC msg=audit(1328198423.936:12): avc: denied { open } for pid=1164 comm="lwiod" name="stat" dev=proc ino=4026532032 scontext=system_u:system_r:lwiod_t:s0
echo "optional_policy(` gen_require(` type lwiod_t; ') kernel_read_system_state(lwiod_t)')" >> mylikewise.te;
type=AVC msg=audit(1328198350.869:21213): avc: denied { read } for pid=1912 comm="lwsmd" name="krb5-affinity.conf" dev=dm-0 ino=395406 scontext=system_u:system_r:lwsmd_t:s0 tcontext=system_u:object_r:netlogond_var_lib_t:s0 tclass=file type=AVC msg=audit(1328198350.869:21213): avc: denied { open } for pid=1912 comm="lwsmd" name="krb5-affinity.conf" dev=dm-0 ino=395406 scontext=system_u:system_r:lwsmd_t:s0 tcontext=system_u:object_r:netlogond_var_lib_t:s0 tclass=file
type=AVC msg=audit(1328198350.873:21215): avc: denied { read } for pid=1912 comm="lwsmd" name="likewise-krb5-ad.conf" dev=dm-0 ino=786321 scontext=system_u:system_r:lwsmd_t:s0 tcontext=system_u:object_r:likewise_krb5_ad_t:s0 tclass=file type=AVC msg=audit(1328198350.873:21215): avc: denied { open } for pid=1912 comm="lwsmd" name="likewise-krb5-ad.conf" dev=dm-0 ino=786321 scontext=system_u:system_r:lwsmd_t:s0 tcontext=system_u:object_r:likewise_krb5_ad_t:s0 tclass=file
echo "optional_policy(` gen_require(` type lwsmd_t, likewise_krb5_ad_t, netlogond_var_lib_t; ') allow lwsmd_t { likewise_krb5_ad_t netlogond_var_lib_t }:file read_file_perms; ')" >> mylikewise.te;
type=AVC msg=audit(1328198423.053:7): avc: denied { setpgid } for pid=1112 comm="lwsmd" scontext=system_u:system_r:lwsmd_t:s0 tcontext=system_u:system_r:lwsmd_t:s0 tclass=process
echo "optional_policy(` gen_require(` type lwsmd_t; ') allow lwsmd_t self:process setpgid; ')" >> mylikewise.te;
type=AVC msg=audit(1328198423.945:13): avc: denied { setrlimit } for pid=1164 comm="lwiod" scontext=system_u:system_r:lwiod_t:s0 tcontext=system_u:system_r:lwiod_t:s0 tclass=process type=AVC msg=audit(1328198423.945:13): avc: denied { sys_resource } for pid=1164 comm="lwiod" capability=24 scontext=system_u:system_r:lwiod_t:s0 tcontext=system_u:system_r:lwiod_t:s0 tclass=capability
echo "optional_policy(` gen_require(` type lwiod_t; ') allow lwiod_t self:capability setrlimit; ')" >> mylikewise.te;
There is one file that somehow was created with the wrong type or mislabeled otherwise:
/var/lib/likewise/db/lwi_events.db (should have type eventlogd_var_lib_t and not likewise_var_lib_t)
This file should have been created by eventlogd, and if it was i would have been created with the right type? strange...
make -f /usr/share/selinux/devel/Makefile mylikewise.pp sudo semodule -i mylikewise.pp
Please test again (make sure you restore all locations including /var/lib/likewise)
if any questions or comments please do not hesitate to ask.
I am looking forward to your reply.
selinux@lists.fedoraproject.org