1 |
On Sat, Feb 23, 2013 at 05:59:28PM -0500, Ben P. wrote: |
2 |
> > > avc: denied { search } for pid=1084 comm="unix_chkpwd" name="/" |
3 |
> > > dev="sysfs" ino=1 scontext=system_u:system_r:chkpwd_t |
4 |
> > > tcontext=system_u:object_r:sysfs_t tclass=dir |
5 |
> > > avc: denied { getattr } for pid=1084 comm="unix_chkpwd" name="/" |
6 |
> > > dev="selinuxfs" ino=1 scontext=system_u:system_r:chkpwd_t |
7 |
> > > tcontext=system_u:object_r:security_t tclass=filesystem |
8 |
> > > avc: denied { getattr } for pid=1084 comm="unix_chkpwd" |
9 |
> > > path="/sys/fs/selinux" dev="selinuxfs" ino=1 |
10 |
> > > scontext=system_u:system_r:chkpwd_t tcontext=system_u:object_r:security_t |
11 |
> |
12 |
> 2.) Plays with the file contexts a bit. It tries to keep the correct file |
13 |
> contexts correct on /etc/passwd and /etc/shadow (I think). So it has to read |
14 |
> the correct contexts from selinux? (calls setfscreatecon() and |
15 |
> getfscreatecon() ) |
16 |
|
17 |
Makes sense; if unix_chkpwd is SELinux-aware, it probably wants to read some |
18 |
files in the SELinux file system, which is under /sys (thus the search |
19 |
privileges on sysfs_t directories). |
20 |
|
21 |
The filesystem one however (getattr on security_t filesystem) is not clear |
22 |
to me (I find the "filesystem" class difficult to grasp). I *think* that |
23 |
getattr on filesystem classes is something like getting the mount options of |
24 |
a file system? |
25 |
|
26 |
Alas, http://www.selinuxproject.org/page/ObjectClassesPerms#filesystem isn't |
27 |
clear on this :-( |
28 |
|
29 |
> Still lots to learn I guess |
30 |
|
31 |
Same here :-/ |
32 |
|
33 |
Wkr, |
34 |
Sven Vermeulen |