chkpwd_macros.te

Daniel J Walsh dwalsh at redhat.com
Wed Nov 10 15:55:15 UTC 2004


Tom London wrote:

>running rawhide/strict,
>
>I get the following about once or twice a day:
>
>Nov 10 06:49:17 fedora kernel: audit(1100098157.523:0): avc:  denied 
>{ search } for  pid=27040 exe=/sbin/unix_chkpwd name=run dev=hda2
>ino=4456484 scontext=user_u:user_r:user_chkpwd_t
>tcontext=system_u:object_r:var_run_t tclass=dir
>Nov 10 06:49:17 fedora kernel: audit(1100098157.523:0): avc:  denied 
>{ search } for  pid=27040 exe=/sbin/unix_chkpwd name=nscd dev=hda2
>ino=4556982 scontext=user_u:user_r:user_chkpwd_t
>tcontext=system_u:object_r:nscd_var_run_t tclass=dir
>
>Suggest the following:
>
>--- SAVE/chkpwd_macros.te       2004-11-10 07:37:22.098409600 -0800
>+++ ./chkpwd_macros.te  2004-11-10 07:38:32.387484758 -0800
>@@ -67,6 +67,8 @@
>
> # for nscd
> dontaudit $1_chkpwd_t var_t:dir search;
>+dontaudit $1_chkpwd_t var_run_t:dir search;
>+dontaudit $1_chkpwd_t nscd_var_run_t:dir search;
>
> dontaudit $1_chkpwd_t fs_t:filesystem getattr;
> ')
>
>tom
>
>  
>
This should fix it.

diff -u chkpwd_macros.te~ chkpwd_macros.te
--- chkpwd_macros.te~   2004-11-09 14:08:33.000000000 -0500
+++ chkpwd_macros.te    2004-11-10 10:54:20.098525218 -0500
@@ -15,7 +15,7 @@
 ifdef(`chkpwd.te', `
 define(`chkpwd_domain',`
 # Derived domain based on the calling user domain and the program.
-type $1_chkpwd_t, domain, privlog, auth;
+type $1_chkpwd_t, domain, privlog, nscd_client_domain, auth;

 # is_selinux_enabled
 allow $1_chkpwd_t proc_t:file read;




More information about the fedora-selinux-list mailing list