--- On Sat, 7/4/09, Kévin GUERIN<leguerinos gmail com> wrote:
From: Kévin GUERIN<leguerinos gmail com>
Subject: Re: Strange denials
To: "Vadym Chepkov"<chepkov yahoo com>
Cc: "Fedora SELinux"<fedora-selinux-list redhat com>
Date: Saturday, July 4, 2009, 10:55 AM
winbindd is running with no MCS
categories and tries to access a file with c0.c0123.
Access will be granted only if winbindd runs with all the
categories that has the file it wants to interact with.
Kévin
2009/7/4 Vadym Chepkov<chepkov yahoo com>
Ok, I am lost
I clearly allowed this.
allow winbind_t crond_t:fifo_file write;
I can see it in the policy:
sesearch --all --source winbind_t --target crond_t
Found 3 semantic av rules:
allow winbind_t crond_t : process sigchld ;
allow winbind_t crond_t : fd use ;
allow winbind_t crond_t : fifo_file { ioctl read write
getattr lock append open } ;
Why do I get denial anyway?
time->Sat Jul 4 10:28:01 2009
type=SYSCALL msg=audit(1246717681.676:10436): arch=40000003
syscall=11 success=yes exit=0 a0=9073c10 a1=9073358
a2=90732a8 a3=9073358 items=0 ppid=20323 pid=20324 auid=0
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) ses=777 comm="winbindd"
exe="/usr/sbin/winbindd"
subj=system_u:system_r:winbind_t:s0 key=(null)
type=AVC msg=audit(1246717681.676:10436): avc: denied {
write } for pid=20324 comm="winbindd"
path="pipe:[611496]" dev=pipefs ino=611496
scontext=system_u:system_r:winbind_t:s0
tcontext=unconfined_u:system_r:crond_t:s0-s0:c0.c1023
tclass=fifo_file
Sincerely yours,
Vadym Chepkov
--
fedora-selinux-list mailing list
fedora-selinux-list redhat com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
--
fedora-selinux-list mailing list
fedora-selinux-list redhat com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list