SELinux and Likewise Open Issue

Gabi C gabicr at gmail.com
Wed Dec 29 05:50:43 UTC 2010 

any name should do. I preffer to give names related to what I try to
allow...in your case coul be ....

grep dbus-daemon < /var/log/audit/audit.log | audit2allow-M  lsassd1
semodule -i lsassd1.pp
On Tue, Dec 28, 2010 at 5:13 PM, Mr. Paul M. Whitney <paul.whitney at me.com>wrote:

> How do I extrapolate the module name?  Here is an example audit entry:
>
> 1 suid=81 fsuid=81 egid=81 sgid=81 fsgid=81 tty=(none) ses=4294967295
> comm="dbus-daemon" exe="/bin/dbus-daemon"
> subj=system_u:system_r:system_dbusd_t:s0 key=(null)
> type=AVC msg=audit(1293548941.586:158): avc:  denied  { write } for
>  pid=3811 comm="dbus-daemon" name=".lsassd" dev=dm-4 ino=295011
> scontext=system_u:system_r:system_dbusd_t:s0
> tcontext=system_u:object_r:var_lib_t:s0 tclass=sock_file
>
> Paul
>
>
> On Dec 28, 2010, at 12:40 AM, Gabi C wrote:
>
> > grep dbus-daemon < /var/log/audit/audit.log | audit2allow -M
> *module_name1*
> > then semodule -i  *module_name1.pp
> >
> > *watch audit.log for other denial and do the same* 'grep ..............
> > module_name2" *and so on*
> >
> >
> >
> > *
> > On Mon, Dec 27, 2010 at 6:55 PM, Mr. Paul M. Whitney <
> paul.whitney at me.com>wrote:
> >
> >> Hello everyone, I am having an issue with SELinux and Likewise Open.  I
> >> have managed to "successfully" install the product by setting SELinux to
> >> permissive mode and have successfully  joined it to a domain.  I have
> also
> >> used my AD credentials successfully.
> >>
> >> After rebooting and SELinux in enforced mode, I am getting the below
> >> SELinux AVC denial.  I "think" it may be because the .lsassd file is
> labeled
> >> with a generic "var_lib_t" and perhaps it needs to be something like
> >> "likewise_var_lib_t".  I don't know and this is probably demonstrating
> my
> >> ignorance with SELinux.  I am running into dead ends or unrelated info
> on
> >> Google, Red KB, and several people's blogs.
> >>
> >> Can someone please tell me how to overcome this denial with SELinux in
> >> enforce mode?
> >>
> >>
> >> Summary:
> >>
> >> SELinux is preventing dbus-daemon (system_dbusd_t) "write" to .lsassd
> >> (var_lib_t).
> >>
> >> Detailed Description:
> >>
> >> SELinux is preventing dbus-daemon (system_dbusd_t) "write" to .lsassd
> >> (var_lib_t). The SELinux type var_lib_t, is a generic type for all files
> in
> >> the
> >> directory and very few processes (SELinux Domains) are allowed to write
> to
> >> this
> >> SELinux type. This type of denial usual indicates a mislabeled file. By
> >> default
> >> a file created in a directory has the gets the context of the parent
> >> directory,
> >> but SELinux policy has rules about the creation of directories, that say
> if
> >> a
> >> process running in one SELinux Domain (D1) creates a file in a directory
> >> with a
> >> particular SELinux File Context (F1) the file gets a different File
> Context
> >> (F2). The policy usually allows the SELinux Domain (D1) the ability to
> >> write,
> >> unlink, and append on (F2). But if for some reason a file (.lsassd) was
> >> created
> >> with the wrong context, this domain will be denied. The usual solution
> to
> >> this
> >> problem is to reset the file context on the target file, restorecon -v
> >> '.lsassd'. If the file context does not change from var_lib_t, then this
> is
> >> probably a bug in policy. Please file a bug report
> >> (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against the
> >> selinux-policy
> >> package. If it does change, you can try your application again to see if
> it
> >> works. The file context could have been mislabeled by editing the file
> or
> >> moving
> >> the file from a different directory, if the file keeps getting
> mislabeled,
> >> check
> >> the init scripts to see if they are doing something to mislabel the
> file.
> >>
> >> Allowing Access:
> >>
> >> You can attempt to fix file context by executing restorecon -v '.lsassd'
> >>
> >> The following command will allow this access:
> >>
> >> restorecon '.lsassd'
> >>
> >> Additional Information:
> >>
> >> Source Context                system_u:system_r:system_dbusd_t
> >> Target Context                system_u:object_r:var_lib_t
> >> Target Objects                .lsassd [ sock_file ]
> >> Source                        dbus-daemon
> >> Source Path                   /bin/dbus-daemon
> >> Port                          <Unknown>
> >> Host                          delta.whitney.net
> >> Source RPM Packages           dbus-1.1.2-14.el5
> >> Target RPM Packages
> >> Policy RPM                    selinux-policy-2.4.6-279.el5_5.1
> >> Selinux Enabled               True
> >> Policy Type                   targeted
> >> MLS Enabled                   True
> >> Enforcing Mode                Enforcing
> >> Plugin Name                   mislabeled_file
> >> Host Name                     delta.whitney.net
> >> Platform                      Linux delta.whitney.net2.6.18-194.17.4.el5
> >> #1 SMP
> >>                             Wed Oct 20 13:03:08 EDT 2010 x86_64 x86_64
> >> Alert Count                   80
> >> First Seen                    Mon 27 Dec 2010 11:03:37 AM EST
> >> Last Seen                     Mon 27 Dec 2010 11:42:13 AM EST
> >> Local ID                      f27ca755-0327-42a6-8755-e772887cecd7
> >> Line Numbers
> >>
> >> Raw Audit Messages
> >>
> >> host=delta.whitney.net type=AVC msg=audit(1293468133.661:172): avc:
> >> denied  { write } for  pid=3827 comm="dbus-daemon" name=".lsassd"
> dev=dm-4
> >> ino=295012 scontext=system_u:system_r:system_dbusd_t:s0
> >> tcontext=system_u:object_r:var_lib_t:s0 tclass=sock_file
> >>
> >> host=delta.whitney.net type=SYSCALL msg=audit(1293468133.661:172):
> >> arch=c000003e syscall=42 success=no exit=-13 a0=15 a1=7ffffab98d20 a2=6e
> >> a3=0 items=1 ppid=1 pid=3827 auid=4294967295 uid=81 gid=81 euid=81
> suid=81
> >> fsuid=81 egid=81 sgid=81 fsgid=81 tty=(none) ses=4294967295
> >> comm="dbus-daemon" exe="/bin/dbus-daemon"
> >> subj=system_u:system_r:system_dbusd_t:s0 key=(null)
> >>
> >> host=delta.whitney.net type=PATH msg=audit(1293468133.661:172): item=0
> >> name=(null) inode=295012 dev=fd:04 mode=0140666 ouid=0 ogid=0 rdev=00:00
> >> obj=system_u:object_r:var_lib_t:s0
> >>
> >>
> >>
> >>
> >> --
> >> redhat-list mailing list
> >> unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
> >> https://www.redhat.com/mailman/listinfo/redhat-list
> >>
> > --
> > redhat-list mailing list
> > unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
> > https://www.redhat.com/mailman/listinfo/redhat-list
>
> --
>  redhat-list mailing list
> unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list
>

More information about the redhat-list mailing list