unix_write AVC denial is persistent

Support for security such as Firewalls and securing linux
Post Reply
shagun
Posts: 43
Joined: 2016/11/04 12:30:30

unix_write AVC denial is persistent

Post by shagun » 2017/07/27 12:23:37

Hi,

I am getting below AVC denial:
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
type=AVC msg=audit(1501051879.038:1221): avc: denied { unix_write } for pid=7775 comm="onstat" key=1381386241 scontext=system_u:system_r:informix_t:s0 tcontext=system_u:system_r:informix_t:s0-s0:c0.c1023 tclass=shm

Was caused by:
()
#Constraint rule:

# mlsconstrain shm { create destroy setattr write unix_write } ((h1 dom h2 -Fail-) or (t1 != { netlabel_peer_t cucm_t informix_t ilsd_t ipsec_t logrotate_t openshift_t openshift_app_t sandbox_min_t sandbox_x_t sandbox_web_t sandbox_net_t snmpd_t sysadm_t svirt_t svirt_tcg_t svirt_lxc_net_t svirt_qemu_net_t svirt_kvm_net_t arpmond_t cli_t clm_t ipprefsd_t nbslogpd_t servm_t tomcatd_t ibmd_t hpd_t drfd_t upgraded_t } -Fail-) ); Constraint DENIED

# Possible cause is the source level (s0) and target level (s0-s0:c0.c1023) are different.
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

I created a policy and loaded into the system but still i am getting this denial.
test.te file:
-----------------------------------------------
module test 1.0;

require {
type informix_t;
class shm { unix_write write };
}

#============= informix_t ==============

#!!!! This avc is a constraint violation. You would need to modify the attributes of either the source or target types to allow this access.
#Constraint rule:
# mlsconstrain shm { create destroy setattr write unix_write } ((h1 dom h2 -Fail-) or (t1 != { netlabel_peer_t cucm_t informix_t ilsd_t ipsec_t logrotate_t openshift_t openshift_app_t sandbox_min_t sandbox_x_t sandbox_web_t sandbox_net_t snmpd_t sysadm_t svirt_t svirt_tcg_t svirt_lxc_net_t svirt_qemu_net_t svirt_kvm_net_t arpmond_t cli_t clm_t ipprefsd_t nbslogpd_t servm_t tomcatd_t ibmd_t hpd_t drfd_t upgraded_t } -Fail-) ); Constraint DENIED

# Possible cause is the source level (s0) and target level (s0-s0:c0.c1023) are different.
allow informix_t self:shm { unix_write write };
------------------------------------------------------------------------------------------------------------------------

What should i do to resolve this denial ?

Regards,
Shagun Maheshwari

hunter86_bg
Posts: 2019
Joined: 2015/02/17 15:14:33
Location: Bulgaria
Contact:

Re: unix_write AVC denial is persistent

Post by hunter86_bg » 2017/07/29 18:47:57

You can try the following:
1.Set the SELinux into permissive mode in order to log the denials
2.Use the "audit2why" and "audit2allow" to resolve the problem.
3.Once you generate the new rule, you should test in enforcing mode.

Post Reply