SELinux and Likewise Open Issue

Gabi C gabicr at gmail.com
Tue Dec 28 05:40:16 UTC 2010 

grep dbus-daemon < /var/log/audit/audit.log | audit2allow -M *module_name1*
then semodule -i  *module_name1.pp

*watch audit.log for other denial and do the same* 'grep ..............
module_name2" *and so on*



*
On Mon, Dec 27, 2010 at 6:55 PM, Mr. Paul M. Whitney <paul.whitney at me.com>wrote:

> Hello everyone, I am having an issue with SELinux and Likewise Open.  I
> have managed to "successfully" install the product by setting SELinux to
> permissive mode and have successfully  joined it to a domain.  I have also
> used my AD credentials successfully.
>
> After rebooting and SELinux in enforced mode, I am getting the below
> SELinux AVC denial.  I "think" it may be because the .lsassd file is labeled
> with a generic "var_lib_t" and perhaps it needs to be something like
> "likewise_var_lib_t".  I don't know and this is probably demonstrating my
> ignorance with SELinux.  I am running into dead ends or unrelated info on
> Google, Red KB, and several people's blogs.
>
> Can someone please tell me how to overcome this denial with SELinux in
> enforce mode?
>
>
> Summary:
>
> SELinux is preventing dbus-daemon (system_dbusd_t) "write" to .lsassd
> (var_lib_t).
>
> Detailed Description:
>
> SELinux is preventing dbus-daemon (system_dbusd_t) "write" to .lsassd
> (var_lib_t). The SELinux type var_lib_t, is a generic type for all files in
> the
> directory and very few processes (SELinux Domains) are allowed to write to
> this
> SELinux type. This type of denial usual indicates a mislabeled file. By
> default
> a file created in a directory has the gets the context of the parent
> directory,
> but SELinux policy has rules about the creation of directories, that say if
> a
> process running in one SELinux Domain (D1) creates a file in a directory
> with a
> particular SELinux File Context (F1) the file gets a different File Context
> (F2). The policy usually allows the SELinux Domain (D1) the ability to
> write,
> unlink, and append on (F2). But if for some reason a file (.lsassd) was
> created
> with the wrong context, this domain will be denied. The usual solution to
> this
> problem is to reset the file context on the target file, restorecon -v
> '.lsassd'. If the file context does not change from var_lib_t, then this is
> probably a bug in policy. Please file a bug report
> (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against the
> selinux-policy
> package. If it does change, you can try your application again to see if it
> works. The file context could have been mislabeled by editing the file or
> moving
> the file from a different directory, if the file keeps getting mislabeled,
> check
> the init scripts to see if they are doing something to mislabel the file.
>
> Allowing Access:
>
> You can attempt to fix file context by executing restorecon -v '.lsassd'
>
> The following command will allow this access:
>
> restorecon '.lsassd'
>
> Additional Information:
>
> Source Context                system_u:system_r:system_dbusd_t
> Target Context                system_u:object_r:var_lib_t
> Target Objects                .lsassd [ sock_file ]
> Source                        dbus-daemon
> Source Path                   /bin/dbus-daemon
> Port                          <Unknown>
> Host                          delta.whitney.net
> Source RPM Packages           dbus-1.1.2-14.el5
> Target RPM Packages
> Policy RPM                    selinux-policy-2.4.6-279.el5_5.1
> Selinux Enabled               True
> Policy Type                   targeted
> MLS Enabled                   True
> Enforcing Mode                Enforcing
> Plugin Name                   mislabeled_file
> Host Name                     delta.whitney.net
> Platform                      Linux delta.whitney.net 2.6.18-194.17.4.el5
> #1 SMP
>                              Wed Oct 20 13:03:08 EDT 2010 x86_64 x86_64
> Alert Count                   80
> First Seen                    Mon 27 Dec 2010 11:03:37 AM EST
> Last Seen                     Mon 27 Dec 2010 11:42:13 AM EST
> Local ID                      f27ca755-0327-42a6-8755-e772887cecd7
> Line Numbers
>
> Raw Audit Messages
>
> host=delta.whitney.net type=AVC msg=audit(1293468133.661:172): avc:
>  denied  { write } for  pid=3827 comm="dbus-daemon" name=".lsassd" dev=dm-4
> ino=295012 scontext=system_u:system_r:system_dbusd_t:s0
> tcontext=system_u:object_r:var_lib_t:s0 tclass=sock_file
>
> host=delta.whitney.net type=SYSCALL msg=audit(1293468133.661:172):
> arch=c000003e syscall=42 success=no exit=-13 a0=15 a1=7ffffab98d20 a2=6e
> a3=0 items=1 ppid=1 pid=3827 auid=4294967295 uid=81 gid=81 euid=81 suid=81
> fsuid=81 egid=81 sgid=81 fsgid=81 tty=(none) ses=4294967295
> comm="dbus-daemon" exe="/bin/dbus-daemon"
> subj=system_u:system_r:system_dbusd_t:s0 key=(null)
>
> host=delta.whitney.net type=PATH msg=audit(1293468133.661:172): item=0
> name=(null) inode=295012 dev=fd:04 mode=0140666 ouid=0 ogid=0 rdev=00:00
> obj=system_u:object_r:var_lib_t:s0
>
>
>
>
> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list
>

More information about the redhat-list mailing list