Re: MLS enforcing and kerberos

[Daniel J Walsh <dwalsh redhat com>]

Robert Story wrote:
> On Fri, 22 Aug 2008 13:07:48 -0400 Stephen wrote:
> SS> > type=AVC msg=audit(1219421464.372:719): avc:  denied  { getattr } for
> SS> > pid=2436 comm="kadmind" path="/var/tmp/kadmin_0" dev=dm-5 ino=82064
> SS> > scontext=system_u:system_r:kadmind_t:s0-s15:c0.c1023
> SS> > tcontext=system_u:object_r:unlabeled_t:s15:c0.c1023 tclass=file
> SS> 
> SS> The real question there is why is that file labeled unlabeled_t?  That
> SS> usually indicates that its context was invalidated, e.g. you removed the
> SS> type from the policy?
> 
> I haven't touched policy... The file must be left over from when the box
> was running in targeted mode... I did relabel, but then there's this:
> 
> /etc/selinux/mls/contexts/files/file_contexts:/var/tmp/.*      <<none>>
> 
> SS> BTW, aside from the wrong type on the file, the denial is clearly a MLS
> SS> denial - look at the levels on the two contexts.  You have a process
> SS> whose current/low level is s0 (aka SystemLow) trying to getattr (read
> SS> flow) a file at s15:c0.c1023 (aka SystemHigh).  No surprises there.
> SS> The high level of the process is only used as a ceiling for newrole -l
> SS> or if the process' domain has certain MLS privileges allowing it to act
> SS> up to its ceiling.
> 
> I couldn't delete the file in enforcing mode, even after 'newrole -l
> SystemHigh'. So I dropped to permissive and deleted the file. After
> that, kadmin started fine and the file was recreated with SystemLow.
> 
> 
> 
> ------------------------------------------------------------------------
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list redhat com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Relabeling does not clean up /tmp files since we have no idea what to
label these.  So it is best when changing over if you remove all files
from /tmp.  Better yet use a tmpfs :^)