Domain transition missing

Vadym Chepkov chepkov at yahoo.com
Sat Jul 4 12:44:34 UTC 2009 

Thank you

Every single daemon out there was choking, just a few:

type=AVC msg=audit(1246707387.606:8922): avc:  denied  { connectto } for  pid=1313 comm="dovecot-auth" path="/var/run/winbindd/pipe" scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=system_u:system_r:system_cronjob_t:s0 tclass=unix_stream_socket
type=AVC msg=audit(1246707463.608:8931): avc:  denied  { connectto } for  pid=6828 comm="sendmail" path="/var/run/winbindd/pipe" scontext=unconfined_u:system_r:sendmail_t:s0 tcontext=system_u:system_r:system_cronjob_t:s0 tclass=unix_stream_socket
type=AVC msg=audit(1246707468.105:8932): avc:  denied  { connectto } for  pid=6841 comm="procmail" path="/var/run/winbindd/pipe" scontext=unconfined_u:system_r:procmail_t:s0 tcontext=system_u:system_r:system_cronjob_t:s0 tclass=unix_stream_socket
type=AVC msg=audit(1246707508.622:8935): avc:  denied  { connectto } for  pid=6847 comm="sendmail" path="/var/run/winbindd/pipe" scontext=unconfined_u:system_r:sendmail_t:s0 tcontext=system_u:system_r:system_cronjob_t:s0 tclass=unix_stream_socket
type=AVC msg=audit(1246707508.629:8936): avc:  denied  { connectto } for  pid=6851 comm="dbus-daemon-lau" path="/var/run/winbindd/pipe" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:system_cronjob_t:s0 tclass=unix_stream_socket
type=AVC msg=audit(1246707632.720:8963): avc:  denied  { connectto } for  pid=7855 comm="pop3" path="/var/run/winbindd/pipe" scontext=unconfined_u:system_r:dovecot_t:s0 tcontext=system_u:system_r:system_cronjob_t:s0 tclass=unix_stream_socket
type=AVC msg=audit(1246707632.732:8964): avc:  denied  { connectto } for  pid=7857 comm="dbus-daemon-lau" path="/var/run/winbindd/pipe" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:system_cronjob_t:s0 tclass=unix_stream_socket

Sincerely yours,
  Vadym Chepkov


--- On Sat, 7/4/09, Dominick Grift <domg472 at gmail.com> wrote:

> From: Dominick Grift <domg472 at gmail.com>
> Subject: Re: Domain transition missing
> To: "Vadym Chepkov" <chepkov at yahoo.com>
> Cc: "Fedora SELinux" <fedora-selinux-list at redhat.com>
> Date: Saturday, July 4, 2009, 8:38 AM
> On Sat, 2009-07-04 at 05:11 -0700,
> Vadym Chepkov wrote:
> > Hi,
> > 
> > Last night I got a nasty surprise from selinux. I am
> using winbind for external authentication and since it has
> history of failures I have a simple watchdog implemented to
> check the status and restart it if necessary. That is 
> what happened last night and as a law abiding selinux
> citizen I used 'service winbind restart', but it seems the
> proper domain transitions is missing and winbind was started
> in system_cronjob_t domain instead of winbind_t and none of
> other domains could connect to it.
> > 
> > I think jobs running from cron should be granted the
> same transition rules as  from unconfined_t. 
> > 
> > I will file bugzilla report about it, but could
> somebody help me with modifying my local policy until/if it
> gets implemented, please? Thank you.
> > 
> > Sincerely yours,
> >   Vadym Chepkov
> 
> A domain transition would be:
> 
> policy_module(mywinbind, 0.0.1)
> 
> require { type system_cronjob_t, winbind_exec_t, winbind_t;
> }
> domain_auto_trans(system_cronjob_t, winbind_exec_t,
> winbind_t)
> 
> Can you show us the full raw avc denial?
> 
> > --
> > fedora-selinux-list mailing list
> > fedora-selinux-list at redhat.com
> > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> 
>

More information about the fedora-selinux-list mailing list