|
|
| [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] |
On Fri, 2008-08-22 at 12:51 -0400, Robert Story wrote:
> I'm trying to switch a working kerberos server from targeted/enforcing
> to mls/enforcing. The krb5kdc daemon start fine, but kadmin does not.
> There is a single avc in the audit log:
>
> type=AVC msg=audit(1219421464.372:719): avc: denied { getattr } for pid=2436 comm="kadmind" path="/var/tmp/kadmin_0" dev=dm-5 ino=82064 scontext=system_u:system_r:kadmind_t:s0-s15:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s15:c0.c1023 tclass=file
BTW, aside from the wrong type on the file, the denial is clearly a MLS
denial - look at the levels on the two contexts. You have a process
whose current/low level is s0 (aka SystemLow) trying to getattr (read
flow) a file at s15:c0.c1023 (aka SystemHigh). No surprises there.
The high level of the process is only used as a ceiling for newrole -l
or if the process' domain has certain MLS privileges allowing it to act
up to its ceiling.
--
Stephen Smalley
National Security Agency
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
[Home] [Fedora Users] [Fedora Legacy] [Fedora Desktop] [Fedora Bible] [Big List of Linux Books] [Yosemite Photos] [Yosemite News] [Yosemite Campsites] [KDE Users] [Gnome Users]
