SELinux and Likewise Open Issue
Mr. Paul M. Whitney
paul.whitney at me.com
Tue Dec 28 15:13:30 UTC 2010
How do I extrapolate the module name? Here is an example audit entry:
1 suid=81 fsuid=81 egid=81 sgid=81 fsgid=81 tty=(none) ses=4294967295 comm="dbus-daemon" exe="/bin/dbus-daemon" subj=system_u:system_r:system_dbusd_t:s0 key=(null)
type=AVC msg=audit(1293548941.586:158): avc: denied { write } for pid=3811 comm="dbus-daemon" name=".lsassd" dev=dm-4 ino=295011 scontext=system_u:system_r:system_dbusd_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=sock_file
Paul
On Dec 28, 2010, at 12:40 AM, Gabi C wrote:
> grep dbus-daemon < /var/log/audit/audit.log | audit2allow -M *module_name1*
> then semodule -i *module_name1.pp
>
> *watch audit.log for other denial and do the same* 'grep ..............
> module_name2" *and so on*
>
>
>
> *
> On Mon, Dec 27, 2010 at 6:55 PM, Mr. Paul M. Whitney <paul.whitney at me.com>wrote:
>
>> Hello everyone, I am having an issue with SELinux and Likewise Open. I
>> have managed to "successfully" install the product by setting SELinux to
>> permissive mode and have successfully joined it to a domain. I have also
>> used my AD credentials successfully.
>>
>> After rebooting and SELinux in enforced mode, I am getting the below
>> SELinux AVC denial. I "think" it may be because the .lsassd file is labeled
>> with a generic "var_lib_t" and perhaps it needs to be something like
>> "likewise_var_lib_t". I don't know and this is probably demonstrating my
>> ignorance with SELinux. I am running into dead ends or unrelated info on
>> Google, Red KB, and several people's blogs.
>>
>> Can someone please tell me how to overcome this denial with SELinux in
>> enforce mode?
>>
>>
>> Summary:
>>
>> SELinux is preventing dbus-daemon (system_dbusd_t) "write" to .lsassd
>> (var_lib_t).
>>
>> Detailed Description:
>>
>> SELinux is preventing dbus-daemon (system_dbusd_t) "write" to .lsassd
>> (var_lib_t). The SELinux type var_lib_t, is a generic type for all files in
>> the
>> directory and very few processes (SELinux Domains) are allowed to write to
>> this
>> SELinux type. This type of denial usual indicates a mislabeled file. By
>> default
>> a file created in a directory has the gets the context of the parent
>> directory,
>> but SELinux policy has rules about the creation of directories, that say if
>> a
>> process running in one SELinux Domain (D1) creates a file in a directory
>> with a
>> particular SELinux File Context (F1) the file gets a different File Context
>> (F2). The policy usually allows the SELinux Domain (D1) the ability to
>> write,
>> unlink, and append on (F2). But if for some reason a file (.lsassd) was
>> created
>> with the wrong context, this domain will be denied. The usual solution to
>> this
>> problem is to reset the file context on the target file, restorecon -v
>> '.lsassd'. If the file context does not change from var_lib_t, then this is
>> probably a bug in policy. Please file a bug report
>> (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against the
>> selinux-policy
>> package. If it does change, you can try your application again to see if it
>> works. The file context could have been mislabeled by editing the file or
>> moving
>> the file from a different directory, if the file keeps getting mislabeled,
>> check
>> the init scripts to see if they are doing something to mislabel the file.
>>
>> Allowing Access:
>>
>> You can attempt to fix file context by executing restorecon -v '.lsassd'
>>
>> The following command will allow this access:
>>
>> restorecon '.lsassd'
>>
>> Additional Information:
>>
>> Source Context system_u:system_r:system_dbusd_t
>> Target Context system_u:object_r:var_lib_t
>> Target Objects .lsassd [ sock_file ]
>> Source dbus-daemon
>> Source Path /bin/dbus-daemon
>> Port <Unknown>
>> Host delta.whitney.net
>> Source RPM Packages dbus-1.1.2-14.el5
>> Target RPM Packages
>> Policy RPM selinux-policy-2.4.6-279.el5_5.1
>> Selinux Enabled True
>> Policy Type targeted
>> MLS Enabled True
>> Enforcing Mode Enforcing
>> Plugin Name mislabeled_file
>> Host Name delta.whitney.net
>> Platform Linux delta.whitney.net 2.6.18-194.17.4.el5
>> #1 SMP
>> Wed Oct 20 13:03:08 EDT 2010 x86_64 x86_64
>> Alert Count 80
>> First Seen Mon 27 Dec 2010 11:03:37 AM EST
>> Last Seen Mon 27 Dec 2010 11:42:13 AM EST
>> Local ID f27ca755-0327-42a6-8755-e772887cecd7
>> Line Numbers
>>
>> Raw Audit Messages
>>
>> host=delta.whitney.net type=AVC msg=audit(1293468133.661:172): avc:
>> denied { write } for pid=3827 comm="dbus-daemon" name=".lsassd" dev=dm-4
>> ino=295012 scontext=system_u:system_r:system_dbusd_t:s0
>> tcontext=system_u:object_r:var_lib_t:s0 tclass=sock_file
>>
>> host=delta.whitney.net type=SYSCALL msg=audit(1293468133.661:172):
>> arch=c000003e syscall=42 success=no exit=-13 a0=15 a1=7ffffab98d20 a2=6e
>> a3=0 items=1 ppid=1 pid=3827 auid=4294967295 uid=81 gid=81 euid=81 suid=81
>> fsuid=81 egid=81 sgid=81 fsgid=81 tty=(none) ses=4294967295
>> comm="dbus-daemon" exe="/bin/dbus-daemon"
>> subj=system_u:system_r:system_dbusd_t:s0 key=(null)
>>
>> host=delta.whitney.net type=PATH msg=audit(1293468133.661:172): item=0
>> name=(null) inode=295012 dev=fd:04 mode=0140666 ouid=0 ogid=0 rdev=00:00
>> obj=system_u:object_r:var_lib_t:s0
>>
>>
>>
>>
>> --
>> redhat-list mailing list
>> unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
>> https://www.redhat.com/mailman/listinfo/redhat-list
>>
> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list
More information about the redhat-list
mailing list