[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: making a file context change work for initrc_t and unconfined_t

On Wed, 2012-02-08 at 00:09 +0100, Dominick Grift wrote:

> > 
> > type=AVC msg=audit(02/07/2012 21:55:59.592:23979) : avc:  denied  { open } for  
> > pid=1671 comm=lsassd name=krb5cc_1040237070 dev=dm-4 ino=17 
> > scontext=system_u:system_r:lsassd_t:s0 
> > tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=file
> 
> Looks like a init script (or a process running in the init script
> domain) created a file with name krb5cc_1040237070 in /tmp (inode 17 on
> device dm-4 to be exact)
> 
> /tmp should not be used by system wide services. I am not sure where and
> if you can configure whatever created that file and tell it to use a
> proper place like /var/lib/$APP but if possible then that is best
> 
> Also you should figure out what created this (was it some init script?).
> It might be that some process was running in the init script domain due
> to a mislabeled executable file (ps auxZ | grep initrc_t)

I am actually pretty sure it was created by either lsassd or maybe but
less likely the lsassd init script (or the main likewise init script if
you do not have a separate lsassd init script). May also be a left over
from earlier before you applied the proper file contexts (that is
actually what i suspect)

> > type=AVC msg=audit(02/07/2012 21:55:59.592:23979) : avc:  denied  { read } for  
> > pid=1671 comm=lsassd name=krb5cc_1040237070 dev=dm-4 ino=17 
> > scontext=system_u:system_r:lsassd_t:s0 
> > tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=file
> > type=AVC msg=audit(02/07/2012 21:55:59.600:23980) : avc:  denied  { lock } for  
> > pid=1671 comm=lsassd path=/tmp/krb5cc_1040237070 dev=dm-4 ino=17 
> > scontext=system_u:system_r:lsassd_t:s0 
> > tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=file
> > type=AVC msg=audit(02/07/2012 21:55:59.609:23981) : avc:  denied  { unlink } 
> > for  pid=1671 comm=lsassd name=krb5cc_1040237070 dev=dm-4 ino=17 
> > scontext=system_u:system_r:lsassd_t:s0 
> > tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=file
> > 

--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux

[Fedora Users]     [Fedora Legacy]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite Photos]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

Powered by Linux
Google
  Web www.spinics.net