| 1 |
On Sat, Feb 23, 2013 at 05:59:28PM -0500, Ben P. wrote: |
| 2 |
> > > avc: denied { search } for pid=1084 comm="unix_chkpwd" name="/" |
| 3 |
> > > dev="sysfs" ino=1 scontext=system_u:system_r:chkpwd_t |
| 4 |
> > > tcontext=system_u:object_r:sysfs_t tclass=dir |
| 5 |
> > > avc: denied { getattr } for pid=1084 comm="unix_chkpwd" name="/" |
| 6 |
> > > dev="selinuxfs" ino=1 scontext=system_u:system_r:chkpwd_t |
| 7 |
> > > tcontext=system_u:object_r:security_t tclass=filesystem |
| 8 |
> > > avc: denied { getattr } for pid=1084 comm="unix_chkpwd" |
| 9 |
> > > path="/sys/fs/selinux" dev="selinuxfs" ino=1 |
| 10 |
> > > scontext=system_u:system_r:chkpwd_t tcontext=system_u:object_r:security_t |
| 11 |
> |
| 12 |
> 2.) Plays with the file contexts a bit. It tries to keep the correct file |
| 13 |
> contexts correct on /etc/passwd and /etc/shadow (I think). So it has to read |
| 14 |
> the correct contexts from selinux? (calls setfscreatecon() and |
| 15 |
> getfscreatecon() ) |
| 16 |
|
| 17 |
Makes sense; if unix_chkpwd is SELinux-aware, it probably wants to read some |
| 18 |
files in the SELinux file system, which is under /sys (thus the search |
| 19 |
privileges on sysfs_t directories). |
| 20 |
|
| 21 |
The filesystem one however (getattr on security_t filesystem) is not clear |
| 22 |
to me (I find the "filesystem" class difficult to grasp). I *think* that |
| 23 |
getattr on filesystem classes is something like getting the mount options of |
| 24 |
a file system? |
| 25 |
|
| 26 |
Alas, http://www.selinuxproject.org/page/ObjectClassesPerms#filesystem isn't |
| 27 |
clear on this :-( |
| 28 |
|
| 29 |
> Still lots to learn I guess |
| 30 |
|
| 31 |
Same here :-/ |
| 32 |
|
| 33 |
Wkr, |
| 34 |
Sven Vermeulen |
Archives