[SOLVED] PBIS/Likewise Open requires disabling SELinux

Support for security such as Firewalls and securing linux

[SOLVED] PBIS/Likewise Open requires disabling SELinux

Postby littlefixit » 2012/09/25 21:27:07

Hello,

I apolgize if I'm out of place for this question, but I've run into the following problem. I am faced with the decision of choosing between SELinux or PBIS/Likewise Open for Domain authentication. I have successfully used PBIS/Likewise Open to join the domain, and can log in with domain users as long as SELinux is in permissive mode--and based on what I've learned in the few hours I've been researching SELinux, that essentially means it's disabled. Now, from everything I've read, disabling SELinux is described as a pretty dumb idea. I understand that it is optional, but I'm afraid my lack of linux expertise precludes me from understanding exactly how it works, and so I'm left to assume that it would be wiser not to disable it.

That said, my question (and I apologize in advance for this being a n00b question) is whether or not SELinux functions similarly to a firewall, which can have ports opened and closed to permit SOME traffic as opposed to ALL or NOTHING. If this is the case, where would I go to lean more about how to poke such a hole in my SELinux configuration to allow me to use PBIS/Likewise Open?

I'm including some very basic system information, as per the stickied thread; but would be happy to provide any more requested. the version of PBIS/Likewise Open I have installed is 7.0.2.891.

Thank you in advance for your time.

Code: Select all
== BEGIN uname -rmi ==
2.6.32-279.el6.x86_64 x86_64 x86_64
== END   uname -rmi ==

== BEGIN rpm -qa \*-release\* ==
centos-release-6-3.el6.centos.9.x86_64
elrepo-release-6-4.el6.elrepo.noarch
== END   rpm -qa \*-release\* ==

== BEGIN cat /etc/redhat-release ==
CentOS release 6.3 (Final)
== END   cat /etc/redhat-release ==

== BEGIN getenforce ==
Enforcing
== END   getenforce ==

== BEGIN free -m ==
             total       used       free     shared    buffers     cached
Mem:          3833        668       3164          0          4        447
-/+ buffers/cache:        216       3616
Swap:         3967          0       3967
== END   free -m ==

littlefixit
 
Posts: 9
Joined: 2012/09/25 21:07:16
Location: New England

[SOLVED] PBIS/Likewise Open requires disabling SELinux

Postby TrevorH » 2012/09/26 00:52:34

Congratulations for being one of the few to put selinux into permissive mode rather than just disabling it. The two things are different: disabling it gets rid of it completely and then needs work done to re-enable it later, putting it into permissive mode leaves it active but it never denies access to anything. It does, however, log information about what it would have denied had it been in enforcing mode and you can use those logs to construct rules to allow the access in the future.

How you get at the logs varies - if you have the audit package installed and running then the selinux denials are logged to /var/log/audit/audit.log and there are some utilities installed that allow you to see the logs in a fairly readable format. If you don't have the audit package installed then the denials get logged to /var/log/messages and are more tricky to understand. I am going to assume that you have audit installed and running and then you first run the `aureport -a` command and it will spit out reams of messages about the things that were denied access to things. Each message has a number on the far right hand side and if you pick that number and use it in the `ausearch -a nnnn` command (substituting the latest number for nnnn in that command) then you'll get some lines out that tell you what was denied access to what and why. If you post some samples of those here then I (or anyone else that wants to assist) will attempt to interpret them for you!

You can also run `service auditd rotate` which rotates the audit logs then recreate your denials and then `cat /var/log/audit/audit.log | audit2allow -m likewise` and this will generate an selinux source policy module that can be used to allow the accesses. This can sometimes allow more than you might want it to so it's worth posting that too so that someone can review it.

BTW, I also notice from your uname -a output that you are in need of running `yum update` to pick up all the fixes that have been released since CentOS 6.3 came out.
User avatar
TrevorH
Forum Moderator
 
Posts: 9116
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: PBIS/Likewise Open requires disabling SELinux

Postby littlefixit » 2012/09/26 13:20:14

Hello, thank you for getting back to me. I've updated my system, as suggested.


== BEGIN uname -rmi ==
2.6.32-279.el6.x86_64 x86_64 x86_64
== END uname -rmi ==

== BEGIN rpm -qa \*-release\* ==
centos-release-6-3.el6.centos.9.x86_64
elrepo-release-6-4.el6.elrepo.noarch
== END rpm -qa \*-release\* ==

== BEGIN cat /etc/redhat-release ==
CentOS release 6.3 (Final)
== END cat /etc/redhat-release ==

== BEGIN getenforce ==
Enforcing
== END getenforce ==

== BEGIN free -m ==
total used free shared buffers cached
Mem: 3833 1338 2494 0 36 1055
-/+ buffers/cache: 247 3586
Swap: 3967 0 3967
== END free -m ==


Here is the output of the aureport -a command:

171. 09/26/2012 07:50:12 semodule unconfined_u:system_r:semanage_t:s0-s0:c0.c1023 42 sock_file write unconfined_u:object_r:var_lib_t:s0 denied 51459
172. 09/26/2012 07:55:32 login system_u:system_r:local_login_t:s0-s0:c0.c1023 42 sock_file write unconfined_u:object_r:var_lib_t:s0 denied 51461
173. 09/26/2012 07:55:32 login system_u:system_r:local_login_t:s0-s0:c0.c1023 42 sock_file write unconfined_u:object_r:var_lib_t:s0 denied 51463
174. 09/26/2012 07:55:36 login system_u:system_r:local_login_t:s0-s0:c0.c1023 42 sock_file write unconfined_u:object_r:var_lib_t:s0 denied 51466
175. 09/26/2012 07:55:36 login system_u:system_r:local_login_t:s0-s0:c0.c1023 42 sock_file write unconfined_u:object_r:var_lib_t:s0 denied 51465
176. 09/26/2012 07:55:46 login system_u:system_r:local_login_t:s0-s0:c0.c1023 42 sock_file write unconfined_u:object_r:var_lib_t:s0 denied 51468
177. 09/26/2012 07:55:46 login system_u:system_r:local_login_t:s0-s0:c0.c1023 42 sock_file write unconfined_u:object_r:var_lib_t:s0 denied 51467
178. 09/26/2012 07:55:46 login system_u:system_r:local_login_t:s0-s0:c0.c1023 42 sock_file write unconfined_u:object_r:var_lib_t:s0 denied 51469
179. 09/26/2012 07:55:48 login system_u:system_r:local_login_t:s0-s0:c0.c1023 42 sock_file write unconfined_u:object_r:var_lib_t:s0 denied 51471
180. 09/26/2012 07:55:54 login system_u:system_r:local_login_t:s0-s0:c0.c1023 42 sock_file write unconfined_u:object_r:var_lib_t:s0 denied 51475
181. 09/26/2012 07:55:54 login system_u:system_r:local_login_t:s0-s0:c0.c1023 42 sock_file write unconfined_u:object_r:var_lib_t:s0 denied 51476
182. 09/26/2012 07:55:54 login system_u:system_r:local_login_t:s0-s0:c0.c1023 42 sock_file write unconfined_u:object_r:var_lib_t:s0 denied 51480
183. 09/26/2012 07:55:54 login system_u:system_r:local_login_t:s0-s0:c0.c1023 42 sock_file write unconfined_u:object_r:var_lib_t:s0 denied 51482
184. 09/26/2012 07:55:52 login system_u:system_r:local_login_t:s0-s0:c0.c1023 42 sock_file write unconfined_u:object_r:var_lib_t:s0 denied 51473
185. 09/26/2012 08:07:03 pickup system_u:system_r:postfix_pickup_t:s0 42 sock_file write unconfined_u:object_r:var_lib_t:s0 denied 51497
186. 09/26/2012 08:57:40 cleanup system_u:system_r:postfix_cleanup_t:s0 42 sock_file write unconfined_u:object_r:var_lib_t:s0 denied 51528
187. 09/26/2012 08:57:40 trivial-rewrite system_u:system_r:postfix_master_t:s0 42 sock_file write unconfined_u:object_r:var_lib_t:s0 denied 51529
188. 09/26/2012 08:57:40 smtp system_u:system_r:postfix_smtp_t:s0 42 sock_file write unconfined_u:object_r:var_lib_t:s0 denied 51530



I'm pretty sure you only care about the 7:55 timestamps, since that's when I attempted to log in with a domain user, but I was surprised to see so many lines for only one attempted login. In any event, I'm including the detail retrieved using the ausearch -a command for each of the numbers on the right, as indicated. I apologize in advance if this is too much information--if is, please let me know so I don't make the same mistake in the future.

----
time->Wed Sep 26 07:55:32 2012
type=SYSCALL msg=audit(1348660532.719:51461): arch=c000003e syscall=42 success=no exit=-13 a0=0 a1=7fff582b48c0 a2=6e a3=10 items=0 ppid=1 pid=6590 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1513 comm="login" exe="/bin/login" subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1348660532.719:51461): avc: denied { write } for pid=6590 comm="login" name=".lsassd" dev=dm-0 ino=260081 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=sock_file
----
time->Wed Sep 26 07:55:32 2012
type=SYSCALL msg=audit(1348660532.727:51463): arch=c000003e syscall=42 success=no exit=-13 a0=1 a1=7fff582b48d0 a2=6e a3=10 items=0 ppid=1 pid=6590 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1513 comm="login" exe="/bin/login" subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1348660532.727:51463): avc: denied { write } for pid=6590 comm="login" name=".lsassd" dev=dm-0 ino=260081 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=sock_file
----
time->Wed Sep 26 07:55:36 2012
type=SYSCALL msg=audit(1348660536.229:51466): arch=c000003e syscall=42 success=no exit=-13 a0=4 a1=7fff0dce91c0 a2=6e a3=10 items=0 ppid=1 pid=19649 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=4294967295 comm="login" exe="/bin/login" subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1348660536.229:51466): avc: denied { write } for pid=19649 comm="login" name=".lsassd" dev=dm-0 ino=260081 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=sock_file
----
time->Wed Sep 26 07:55:36 2012
type=SYSCALL msg=audit(1348660536.202:51465): arch=c000003e syscall=42 success=no exit=-13 a0=3 a1=7fff0dce8ea0 a2=6e a3=10 items=0 ppid=1 pid=19649 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=4294967295 comm="login" exe="/bin/login" subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1348660536.202:51465): avc: denied { write } for pid=19649 comm="login" name=".lsassd" dev=dm-0 ino=260081 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=sock_file
----
time->Wed Sep 26 07:55:46 2012
type=SYSCALL msg=audit(1348660546.185:51468): arch=c000003e syscall=42 success=no exit=-13 a0=4 a1=7fff0dce9040 a2=6e a3=10 items=0 ppid=1 pid=19649 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=4294967295 comm="login" exe="/bin/login" subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1348660546.185:51468): avc: denied { write } for pid=19649 comm="login" name=".lsassd" dev=dm-0 ino=260081 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=sock_file
----
time->Wed Sep 26 07:55:46 2012
type=SYSCALL msg=audit(1348660546.185:51467): arch=c000003e syscall=42 success=no exit=-13 a0=4 a1=7fff0dce90b0 a2=6e a3=10 items=0 ppid=1 pid=19649 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=4294967295 comm="login" exe="/bin/login" subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1348660546.185:51467): avc: denied { write } for pid=19649 comm="login" name=".lsassd" dev=dm-0 ino=260081 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=sock_file
----
time->Wed Sep 26 07:55:46 2012
type=SYSCALL msg=audit(1348660546.186:51469): arch=c000003e syscall=42 success=no exit=-13 a0=5 a1=7fff0dce9100 a2=6e a3=10 items=0 ppid=1 pid=19649 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=4294967295 comm="login" exe="/bin/login" subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1348660546.186:51469): avc: denied { write } for pid=19649 comm="login" name=".lsassd" dev=dm-0 ino=260081 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=sock_file
----
time->Wed Sep 26 07:55:48 2012
type=SYSCALL msg=audit(1348660548.271:51471): arch=c000003e syscall=42 success=no exit=-13 a0=6 a1=7fff0dce9200 a2=6e a3=10 items=0 ppid=1 pid=19649 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=4294967295 comm="login" exe="/bin/login" subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1348660548.271:51471): avc: denied { write } for pid=19649 comm="login" name=".lsassd" dev=dm-0 ino=260081 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=sock_file
----
time->Wed Sep 26 07:55:54 2012
type=SYSCALL msg=audit(1348660554.718:51475): arch=c000003e syscall=42 success=no exit=-13 a0=5 a1=7fff0dce9040 a2=6e a3=10 items=0 ppid=1 pid=19649 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=4294967295 comm="login" exe="/bin/login" subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1348660554.718:51475): avc: denied { write } for pid=19649 comm="login" name=".lsassd" dev=dm-0 ino=260081 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=sock_file
----
time->Wed Sep 26 07:55:54 2012
type=SYSCALL msg=audit(1348660554.719:51476): arch=c000003e syscall=42 success=no exit=-13 a0=5 a1=7fff0dce9040 a2=6e a3=10 items=0 ppid=1 pid=19649 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=4294967295 comm="login" exe="/bin/login" subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1348660554.719:51476): avc: denied { write } for pid=19649 comm="login" name=".lsassd" dev=dm-0 ino=260081 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=sock_file
----
time->Wed Sep 26 07:55:54 2012
type=SYSCALL msg=audit(1348660554.788:51480): arch=c000003e syscall=42 success=no exit=-13 a0=5 a1=7fff0dce9250 a2=6e a3=10 items=0 ppid=1 pid=19649 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=1621 comm="login" exe="/bin/login" subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1348660554.788:51480): avc: denied { write } for pid=19649 comm="login" name=".lsassd" dev=dm-0 ino=260081 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=sock_file
----
time->Wed Sep 26 07:55:54 2012
type=SYSCALL msg=audit(1348660554.802:51482): arch=c000003e syscall=42 success=no exit=-13 a0=6 a1=7fff0dce9250 a2=6e a3=10 items=0 ppid=1 pid=19649 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=1621 comm="login" exe="/bin/login" subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1348660554.802:51482): avc: denied { write } for pid=19649 comm="login" name=".lsassd" dev=dm-0 ino=260081 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=sock_file
----
time->Wed Sep 26 07:55:52 2012
type=SYSCALL msg=audit(1348660552.022:51473): arch=c000003e syscall=42 success=no exit=-13 a0=5 a1=7fff0dce91c0 a2=6e a3=10 items=0 ppid=1 pid=19649 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=4294967295 comm="login" exe="/bin/login" subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1348660552.022:51473): avc: denied { write } for pid=19649 comm="login" name=".lsassd" dev=dm-0 ino=260081 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=sock_file
----
time->Wed Sep 26 08:07:03 2012
type=SYSCALL msg=audit(1348661223.355:51497): arch=c000003e syscall=42 success=no exit=-13 a0=8 a1=7ffff5001b50 a2=6e a3=7ffff50018c0 items=0 ppid=1454 pid=19843 auid=4294967295 uid=0 gid=89 euid=0 suid=0 fsuid=0 egid=89 sgid=89 fsgid=89 tty=(none) ses=4294967295 comm="pickup" exe="/usr/libexec/postfix/pickup" subj=system_u:system_r:postfix_pickup_t:s0 key=(null)
type=AVC msg=audit(1348661223.355:51497): avc: denied { write } for pid=19843 comm="pickup" name=".lsassd" dev=dm-0 ino=260081 scontext=system_u:system_r:postfix_pickup_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=sock_file


As indicated, I rotated my logs (as you could probably tell from the output above) and then recreated my denials before running the `cat /var/log/audit/audit.log | audit2allow -m likewise` command, and that produced the following output. I'm including it here to be checked, but what should I do with it if it is approved?


module likewise 1.0;

require {
type postfix_smtp_t;
type sshd_t;
type local_login_t;
type postfix_pickup_t;
type postfix_master_t;
type postfix_cleanup_t;
type var_lib_t;
class sock_file write;
}

#============= local_login_t ==============
allow local_login_t var_lib_t:sock_file write;

#============= postfix_cleanup_t ==============
allow postfix_cleanup_t var_lib_t:sock_file write;

#============= postfix_master_t ==============
allow postfix_master_t var_lib_t:sock_file write;

#============= postfix_pickup_t ==============
allow postfix_pickup_t var_lib_t:sock_file write;

#============= postfix_smtp_t ==============
allow postfix_smtp_t var_lib_t:sock_file write;

#============= sshd_t ==============
allow sshd_t var_lib_t:sock_file write;


Thank you again for your time, and your kindness towards a newbie admin. :)
littlefixit
 
Posts: 9
Joined: 2012/09/25 21:07:16
Location: New England

Re: PBIS/Likewise Open requires disabling SELinux

Postby TrevorH » 2012/09/26 14:26:15

type=AVC msg=audit(1348660532.719:51461): avc: denied { write } for pid=6590 comm="login" name=".lsassd" dev=dm-0 ino=260081 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=sock_file


Can you look in /dev/mapper and see what is symlinked to ../dm-0 and then see what file system is mounted using /dev/mapper/whatever? For example, if that was / then run

Code: Select all
find / -inum 260081 -print


That's the file that your login executable is trying to access and it doesn't have access to the target context. I'd like to know what file it is to see if it is mislabeled or if it just doesn't have access to it.

Your module is too broad and includes access for postfix to things and I suspect you're not interested in postfix at the present time.
User avatar
TrevorH
Forum Moderator
 
Posts: 9116
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: PBIS/Likewise Open requires disabling SELinux

Postby littlefixit » 2012/09/26 14:42:41

I'm afraid I don't follow. I cd 'd to the /dev/mapper directory, and see the following when I do an `ls -lart`:

Code: Select all
total 0
drwxr-xr-x.  2 root root    100 Sep 16 19:36 .
crw-rw----.  1 root root 10, 58 Sep 16 19:36 control
lrwxrwxrwx.  1 root root      7 Sep 16 19:36 vg_gsc01-lv_root -> ../dm-0
lrwxrwxrwx.  1 root root      7 Sep 16 19:36 vg_gsc01-lv_swap -> ../dm-1
drwxr-xr-x. 17 root root   3760 Sep 16 19:36 ..


When I tried to run the following from the /dev/mapper directory:

find ../ -inum 260081 -print


I get nothing back; but when I run:

find / -inum 260081 -print


I get the following:

Code: Select all
find: '/proc/21555/task/21555/fd/5': No such file or directory
find: '/proc/21555/task/21555/fdinfo/5': No such file or directory
find: '/proc/21555/fd/5': No such file or directory
find: '/proc/21555/fdinfo/5': No such file or directory
/var/lib/pbis/.lsassd
littlefixit
 
Posts: 9
Joined: 2012/09/25 21:07:16
Location: New England

Re: PBIS/Likewise Open requires disabling SELinux

Postby TrevorH » 2012/09/26 15:15:29

So dm-0 is /dev/mapper/vg_gsc01-lv_root. Now do a df -m and see what mount point that's mounted on - I'm going to take a wild stab in the dark and assume that it's on / so that's what you need in the find command. As indeed, you showed that it was with your next command... and the file that has inode number 260081 is /var/lib/pbis/.lsassd. So what we know is that your login command is trying to access that file and the selinux context that the process is running with doesn't have the ability to read files with that selinux context.

I think your best bet is to use the module approach, so stripping out the bits that I think you do not need, you module file should probably look something like this

Code: Select all
module likewise 1.0;

require {
        type local_login_t;
        type var_lib_t;
        class sock_file write;
}

#============= local_login_t ==============
allow local_login_t var_lib_t:sock_file write;


Create a file called likewise.te and put that content in it. Now run the following

Code: Select all
checkmodule -M -m -o likewise.mod likewise.te
semodule_package -o likewise.pp -m likewise.mod
semodule -i likewise.pp


That effectively compiles the module source and packages it and then installs it. That should give your process running as local_login_t write access to socket files of type var_lib_t and hopefully that's enough to make it work. The semodule command at the end installs the compiled module and it will stay installed until you uninstall it - surviving reboots along the way.

I'm not sure what your postfix and ssh errors were about but hopefully they are incidental!
User avatar
TrevorH
Forum Moderator
 
Posts: 9116
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: PBIS/Likewise Open requires disabling SELinux

Postby littlefixit » 2012/09/26 16:15:40

All right, so I followed the last batch of instructions: I compiled, packaged, and installed the source using the commands you gave me. I then typed 'exit' at the console, and was prompted with the login screen, where I attempted to log in with domain credentials that I confirmed do work with SELinux disabled. I am still unable to log in successfully. I even tried a restart for good measure, but had no luck. Backtracking over the list of instructions you've already provided, I re-cycled the logs to get a fresh copy of the errors being generated; and re-ran the aureport -a to get the following:

1349. 09/26/2012 10:35:52 trivial-rewrite system_u:system_r:postfix_master_t:s0 42 sock_file write unconfined_u:object_r:var_lib_t:s0 denied 56561
1350. 09/26/2012 11:19:48 semodule unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023 42 sock_file write unconfined_u:object_r:var_lib_t:s0 denied 56592
1351. 09/26/2012 11:20:13 pickup system_u:system_r:postfix_pickup_t:s0 42 sock_file write unconfined_u:object_r:var_lib_t:s0 denied 56600
1352. 09/26/2012 11:22:01 login system_u:system_r:local_login_t:s0-s0:c0.c1023 42 unix_stream_socket connectto unconfined_u:system_r:rpm_script_t:s0-s0:c0.c1023 denied 56603
1353. 09/26/2012 11:22:01 login system_u:system_r:local_login_t:s0-s0:c0.c1023 42 unix_stream_socket connectto unconfined_u:system_r:rpm_script_t:s0-s0:c0.c1023 denied 56601
1354. 09/26/2012 11:22:04 login system_u:system_r:local_login_t:s0-s0:c0.c1023 42 unix_stream_socket connectto unconfined_u:system_r:rpm_script_t:s0-s0:c0.c1023 denied 56606
1355. 09/26/2012 11:22:04 login system_u:system_r:local_login_t:s0-s0:c0.c1023 42 unix_stream_socket connectto unconfined_u:system_r:rpm_script_t:s0-s0:c0.c1023 denied 56605
1356. 09/26/2012 11:22:07 login system_u:system_r:local_login_t:s0-s0:c0.c1023 42 unix_stream_socket connectto unconfined_u:system_r:rpm_script_t:s0-s0:c0.c1023 denied 56608
1357. 09/26/2012 11:22:07 login system_u:system_r:local_login_t:s0-s0:c0.c1023 42 unix_stream_socket connectto unconfined_u:system_r:rpm_script_t:s0-s0:c0.c1023 denied 56607
1358. 09/26/2012 11:22:07 login system_u:system_r:local_login_t:s0-s0:c0.c1023 42 unix_stream_socket connectto unconfined_u:system_r:rpm_script_t:s0-s0:c0.c1023 denied 56609
1359. 09/26/2012 11:22:09 login system_u:system_r:local_login_t:s0-s0:c0.c1023 42 unix_stream_socket connectto unconfined_u:system_r:rpm_script_t:s0-s0:c0.c1023 denied 56611
1360. 09/26/2012 11:22:13 login system_u:system_r:local_login_t:s0-s0:c0.c1023 42 unix_stream_socket connectto unconfined_u:system_r:rpm_script_t:s0-s0:c0.c1023 denied 56613
1361. 09/26/2012 11:22:21 login system_u:system_r:local_login_t:s0-s0:c0.c1023 42 unix_stream_socket connectto unconfined_u:system_r:rpm_script_t:s0-s0:c0.c1023 denied 56616
1362. 09/26/2012 11:22:24 login system_u:system_r:local_login_t:s0-s0:c0.c1023 42 unix_stream_socket connectto unconfined_u:system_r:rpm_script_t:s0-s0:c0.c1023 denied 56618
1363. 09/26/2012 11:22:24 login system_u:system_r:local_login_t:s0-s0:c0.c1023 42 unix_stream_socket connectto unconfined_u:system_r:rpm_script_t:s0-s0:c0.c1023 denied 56619
1364. 09/26/2012 11:22:24 login system_u:system_r:local_login_t:s0-s0:c0.c1023 42 unix_stream_socket connectto unconfined_u:system_r:rpm_script_t:s0-s0:c0.c1023 denied 56623
1365. 09/26/2012 11:22:24 login system_u:system_r:local_login_t:s0-s0:c0.c1023 42 unix_stream_socket connectto unconfined_u:system_r:rpm_script_t:s0-s0:c0.c1023 denied 56625
1366. 09/26/2012 11:24:17 login system_u:system_r:local_login_t:s0-s0:c0.c1023 42 unix_stream_socket connectto unconfined_u:system_r:rpm_script_t:s0-s0:c0.c1023 denied 56630
1367. 09/26/2012 11:24:17 login system_u:system_r:local_login_t:s0-s0:c0.c1023 42 unix_stream_socket connectto unconfined_u:system_r:rpm_script_t:s0-s0:c0.c1023 denied 56632
1368. 09/26/2012 11:26:36 login system_u:system_r:local_login_t:s0-s0:c0.c1023 42 unix_stream_socket connectto system_u:system_r:initrc_t:s0 denied 41891
1369. 09/26/2012 11:26:40 login system_u:system_r:local_login_t:s0-s0:c0.c1023 42 unix_stream_socket connectto system_u:system_r:initrc_t:s0 denied 41893
1370. 09/26/2012 11:26:40 login system_u:system_r:local_login_t:s0-s0:c0.c1023 42 unix_stream_socket connectto system_u:system_r:initrc_t:s0 denied 41894
1371. 09/26/2012 11:26:40 login system_u:system_r:local_login_t:s0-s0:c0.c1023 42 unix_stream_socket connectto system_u:system_r:initrc_t:s0 denied 41898
1372. 09/26/2012 11:26:40 login system_u:system_r:local_login_t:s0-s0:c0.c1023 42 unix_stream_socket connectto system_u:system_r:initrc_t:s0 denied 41900
1373. 09/26/2012 11:27:07 login system_u:system_r:local_login_t:s0-s0:c0.c1023 42 unix_stream_socket connectto system_u:system_r:initrc_t:s0 denied 41903
1374. 09/26/2012 11:27:07 login system_u:system_r:local_login_t:s0-s0:c0.c1023 42 unix_stream_socket connectto system_u:system_r:initrc_t:s0 denied 41905
1375. 09/26/2012 11:27:12 login system_u:system_r:local_login_t:s0-s0:c0.c1023 42 unix_stream_socket connectto system_u:system_r:initrc_t:s0 denied 41908
1376. 09/26/2012 11:27:12 login system_u:system_r:local_login_t:s0-s0:c0.c1023 42 unix_stream_socket connectto system_u:system_r:initrc_t:s0 denied 41907
1377. 09/26/2012 11:27:18 login system_u:system_r:local_login_t:s0-s0:c0.c1023 42 unix_stream_socket connectto system_u:system_r:initrc_t:s0 denied 41910
1378. 09/26/2012 11:27:18 login system_u:system_r:local_login_t:s0-s0:c0.c1023 42 unix_stream_socket connectto system_u:system_r:initrc_t:s0 denied 41909
1379. 09/26/2012 11:27:18 login system_u:system_r:local_login_t:s0-s0:c0.c1023 42 unix_stream_socket connectto system_u:system_r:initrc_t:s0 denied 41911
1380. 09/26/2012 11:27:20 login system_u:system_r:local_login_t:s0-s0:c0.c1023 42 unix_stream_socket connectto system_u:system_r:initrc_t:s0 denied 41913
1381. 09/26/2012 11:27:26 login system_u:system_r:local_login_t:s0-s0:c0.c1023 42 unix_stream_socket connectto system_u:system_r:initrc_t:s0 denied 41915
1382. 09/26/2012 11:27:33 login system_u:system_r:local_login_t:s0-s0:c0.c1023 42 unix_stream_socket connectto system_u:system_r:initrc_t:s0 denied 41917
1383. 09/26/2012 11:27:33 login system_u:system_r:local_login_t:s0-s0:c0.c1023 42 unix_stream_socket connectto system_u:system_r:initrc_t:s0 denied 41918
1384. 09/26/2012 11:27:33 login system_u:system_r:local_login_t:s0-s0:c0.c1023 42 unix_stream_socket connectto system_u:system_r:initrc_t:s0 denied 41922
1385. 09/26/2012 11:27:33 login system_u:system_r:local_login_t:s0-s0:c0.c1023 42 unix_stream_socket connectto system_u:system_r:initrc_t:s0 denied 41924


And the detail (much longer than before, I'm afraid--I wanted to make sure I didn't miss anything):

----
time->Wed Sep 26 10:35:52 2012
type=SYSCALL msg=audit(1348670152.439:56561): arch=c000003e syscall=42 success=no exit=-13 a0=8 a1=7fff7ad0ee50 a2=6e a3=7fff7ad0ebc0 items=0 ppid=1454 pid=21566 auid=4294967295 uid=0 gid=89 euid=0 suid=0 fsuid=0 egid=89 sgid=89 fsgid=89 tty=(none) ses=4294967295 comm="trivial-rewrite" exe="/usr/libexec/postfix/trivial-rewrite" subj=system_u:system_r:postfix_master_t:s0 key=(null)
type=AVC msg=audit(1348670152.439:56561): avc: denied { write } for pid=21566 comm="trivial-rewrite" name=".lsassd" dev=dm-0 ino=260081 scontext=system_u:system_r:postfix_master_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=sock_file
----
time->Wed Sep 26 11:19:48 2012
type=SYSCALL msg=audit(1348672788.114:56592): arch=c000003e syscall=42 success=no exit=-13 a0=7 a1=7fffe86b1fe0 a2=6e a3=7fffe86b1d50 items=0 ppid=19658 pid=21795 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=1621 comm="semodule" exe="/usr/sbin/semodule" subj=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1348672788.114:56592): avc: denied { write } for pid=21795 comm="semodule" name=".lsassd" dev=dm-0 ino=260081 scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=sock_file
----
time->Wed Sep 26 11:20:13 2012
type=SYSCALL msg=audit(1348672813.502:56600): arch=c000003e syscall=42 success=no exit=-13 a0=8 a1=7fff4e5c86b0 a2=6e a3=7fff4e5c8420 items=0 ppid=1454 pid=21810 auid=4294967295 uid=0 gid=89 euid=0 suid=0 fsuid=0 egid=89 sgid=89 fsgid=89 tty=(none) ses=4294967295 comm="pickup" exe="/usr/libexec/postfix/pickup" subj=system_u:system_r:postfix_pickup_t:s0 key=(null)
type=AVC msg=audit(1348672813.502:56600): avc: denied { write } for pid=21810 comm="pickup" name=".lsassd" dev=dm-0 ino=260081 scontext=system_u:system_r:postfix_pickup_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=sock_file
----
time->Wed Sep 26 11:22:01 2012
type=SYSCALL msg=audit(1348672921.173:56603): arch=c000003e syscall=42 success=no exit=-13 a0=1 a1=7fff0dce9260 a2=6e a3=10 items=0 ppid=1 pid=19649 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1621 comm="login" exe="/bin/login" subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1348672921.173:56603): avc: denied { connectto } for pid=19649 comm="login" path="/var/lib/pbis/.lsassd" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:rpm_script_t:s0-s0:c0.c1023 tclass=unix_stream_socket
----
time->Wed Sep 26 11:22:01 2012
type=SYSCALL msg=audit(1348672921.166:56601): arch=c000003e syscall=42 success=no exit=-13 a0=0 a1=7fff0dce9250 a2=6e a3=10 items=0 ppid=1 pid=19649 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1621 comm="login" exe="/bin/login" subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1348672921.166:56601): avc: denied { connectto } for pid=19649 comm="login" path="/var/lib/pbis/.lsassd" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:rpm_script_t:s0-s0:c0.c1023 tclass=unix_stream_socket
----
time->Wed Sep 26 11:22:04 2012
type=SYSCALL msg=audit(1348672924.855:56606): arch=c000003e syscall=42 success=no exit=-13 a0=4 a1=7fff6f2163e0 a2=6e a3=10 items=0 ppid=1 pid=21821 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=4294967295 comm="login" exe="/bin/login" subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1348672924.855:56606): avc: denied { connectto } for pid=21821 comm="login" path="/var/lib/pbis/.lsassd" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:rpm_script_t:s0-s0:c0.c1023 tclass=unix_stream_socket
----
time->Wed Sep 26 11:22:04 2012
type=SYSCALL msg=audit(1348672924.829:56605): arch=c000003e syscall=42 success=no exit=-13 a0=3 a1=7fff6f2160c0 a2=6e a3=10 items=0 ppid=1 pid=21821 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=4294967295 comm="login" exe="/bin/login" subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1348672924.829:56605): avc: denied { connectto } for pid=21821 comm="login" path="/var/lib/pbis/.lsassd" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:rpm_script_t:s0-s0:c0.c1023 tclass=unix_stream_socket
----
time->Wed Sep 26 11:22:07 2012
type=SYSCALL msg=audit(1348672927.601:56608): arch=c000003e syscall=42 success=no exit=-13 a0=4 a1=7fff6f216260 a2=6e a3=10 items=0 ppid=1 pid=21821 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=4294967295 comm="login" exe="/bin/login" subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1348672927.601:56608): avc: denied { connectto } for pid=21821 comm="login" path="/var/lib/pbis/.lsassd" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:rpm_script_t:s0-s0:c0.c1023 tclass=unix_stream_socket
----
time->Wed Sep 26 11:22:07 2012
type=SYSCALL msg=audit(1348672927.601:56607): arch=c000003e syscall=42 success=no exit=-13 a0=4 a1=7fff6f2162d0 a2=6e a3=10 items=0 ppid=1 pid=21821 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=4294967295 comm="login" exe="/bin/login" subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1348672927.601:56607): avc: denied { connectto } for pid=21821 comm="login" path="/var/lib/pbis/.lsassd" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:rpm_script_t:s0-s0:c0.c1023 tclass=unix_stream_socket
----
time->Wed Sep 26 11:22:07 2012
type=SYSCALL msg=audit(1348672927.602:56609): arch=c000003e syscall=42 success=no exit=-13 a0=5 a1=7fff6f216320 a2=6e a3=10 items=0 ppid=1 pid=21821 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=4294967295 comm="login" exe="/bin/login" subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1348672927.602:56609): avc: denied { connectto } for pid=21821 comm="login" path="/var/lib/pbis/.lsassd" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:rpm_script_t:s0-s0:c0.c1023 tclass=unix_stream_socket
----
time->Wed Sep 26 11:22:09 2012
type=SYSCALL msg=audit(1348672929.344:56611): arch=c000003e syscall=42 success=no exit=-13 a0=6 a1=7fff6f216420 a2=6e a3=10 items=0 ppid=1 pid=21821 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=4294967295 comm="login" exe="/bin/login" subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1348672929.344:56611): avc: denied { connectto } for pid=21821 comm="login" path="/var/lib/pbis/.lsassd" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:rpm_script_t:s0-s0:c0.c1023 tclass=unix_stream_socket
----
time->Wed Sep 26 11:22:13 2012
type=SYSCALL msg=audit(1348672933.537:56613): arch=c000003e syscall=42 success=no exit=-13 a0=5 a1=7fff6f2163e0 a2=6e a3=10 items=0 ppid=1 pid=21821 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=4294967295 comm="login" exe="/bin/login" subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1348672933.537:56613): avc: denied { connectto } for pid=21821 comm="login" path="/var/lib/pbis/.lsassd" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:rpm_script_t:s0-s0:c0.c1023 tclass=unix_stream_socket
----
time->Wed Sep 26 11:22:21 2012
type=SYSCALL msg=audit(1348672941.958:56616): arch=c000003e syscall=42 success=no exit=-13 a0=5 a1=7fff6f2163e0 a2=6e a3=10 items=0 ppid=1 pid=21821 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=4294967295 comm="login" exe="/bin/login" subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1348672941.958:56616): avc: denied { connectto } for pid=21821 comm="login" path="/var/lib/pbis/.lsassd" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:rpm_script_t:s0-s0:c0.c1023 tclass=unix_stream_socket
----
time->Wed Sep 26 11:22:24 2012
type=SYSCALL msg=audit(1348672944.441:56618): arch=c000003e syscall=42 success=no exit=-13 a0=5 a1=7fff6f216260 a2=6e a3=10 items=0 ppid=1 pid=21821 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=4294967295 comm="login" exe="/bin/login" subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1348672944.441:56618): avc: denied { connectto } for pid=21821 comm="login" path="/var/lib/pbis/.lsassd" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:rpm_script_t:s0-s0:c0.c1023 tclass=unix_stream_socket
----
time->Wed Sep 26 11:22:24 2012
type=SYSCALL msg=audit(1348672944.441:56619): arch=c000003e syscall=42 success=no exit=-13 a0=5 a1=7fff6f216260 a2=6e a3=10 items=0 ppid=1 pid=21821 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=4294967295 comm="login" exe="/bin/login" subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1348672944.441:56619): avc: denied { connectto } for pid=21821 comm="login" path="/var/lib/pbis/.lsassd" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:rpm_script_t:s0-s0:c0.c1023 tclass=unix_stream_socket
----
time->Wed Sep 26 11:22:24 2012
type=SYSCALL msg=audit(1348672944.497:56623): arch=c000003e syscall=42 success=no exit=-13 a0=5 a1=7fff6f216470 a2=6e a3=10 items=0 ppid=1 pid=21821 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=1647 comm="login" exe="/bin/login" subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1348672944.497:56623): avc: denied { connectto } for pid=21821 comm="login" path="/var/lib/pbis/.lsassd" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:rpm_script_t:s0-s0:c0.c1023 tclass=unix_stream_socket
----
time->Wed Sep 26 11:22:24 2012
type=SYSCALL msg=audit(1348672944.515:56625): arch=c000003e syscall=42 success=no exit=-13 a0=6 a1=7fff6f216470 a2=6e a3=10 items=0 ppid=1 pid=21821 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=1647 comm="login" exe="/bin/login" subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1348672944.515:56625): avc: denied { connectto } for pid=21821 comm="login" path="/var/lib/pbis/.lsassd" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:rpm_script_t:s0-s0:c0.c1023 tclass=unix_stream_socket
----
time->Wed Sep 26 11:24:17 2012
type=SYSCALL msg=audit(1348673057.361:56630): arch=c000003e syscall=42 success=no exit=-13 a0=0 a1=7fff6f216470 a2=6e a3=10 items=0 ppid=1 pid=21821 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1647 comm="login" exe="/bin/login" subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1348673057.361:56630): avc: denied { connectto } for pid=21821 comm="login" path="/var/lib/pbis/.lsassd" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:rpm_script_t:s0-s0:c0.c1023 tclass=unix_stream_socket
----
time->Wed Sep 26 11:24:17 2012
type=SYSCALL msg=audit(1348673057.363:56632): arch=c000003e syscall=42 success=no exit=-13 a0=1 a1=7fff6f216480 a2=6e a3=10 items=0 ppid=1 pid=21821 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1647 comm="login" exe="/bin/login" subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1348673057.363:56632): avc: denied { connectto } for pid=21821 comm="login" path="/var/lib/pbis/.lsassd" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:rpm_script_t:s0-s0:c0.c1023 tclass=unix_stream_socket
----
time->Tue Sep 25 11:37:26 2012
type=CRYPTO_SESSION msg=audit(1348587446.817:41891): user pid=1180 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=start direction=from-client cipher=aes128-cbc ksize=128 spid=1181 suid=74 rport=59367 laddr=50.195.21.250 lport=22 exe="/usr/sbin/sshd" hostname=? addr=200.41.233.234 terminal=? res=success'
----
time->Wed Sep 26 11:26:36 2012
type=SYSCALL msg=audit(1348673196.758:41891): arch=c000003e syscall=42 success=no exit=-13 a0=4 a1=7fff646fb620 a2=6e a3=10 items=0 ppid=1 pid=5461 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=4294967295 comm="login" exe="/bin/login" subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1348673196.758:41891): avc: denied { connectto } for pid=5461 comm="login" path="/var/lib/pbis/.lsassd" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket
----
time->Tue Sep 25 11:37:27 2012
type=USER_LOGIN msg=audit(1348587447.788:41893): user pid=1180 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login acct=28756E6B6E6F776E207573657229 exe="/usr/sbin/sshd" hostname=? addr=200.41.233.234 terminal=ssh res=failed'
----
time->Wed Sep 26 11:26:40 2012
type=SYSCALL msg=audit(1348673200.571:41893): arch=c000003e syscall=42 success=no exit=-13 a0=4 a1=7fff646fb4a0 a2=6e a3=10 items=0 ppid=1 pid=5461 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=4294967295 comm="login" exe="/bin/login" subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1348673200.571:41893): avc: denied { connectto } for pid=5461 comm="login" path="/var/lib/pbis/.lsassd" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket
----
time->Tue Sep 25 11:37:30 2012
type=USER_AUTH msg=audit(1348587450.032:41894): user pid=1180 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:authentication acct="?" exe="/usr/sbin/sshd" hostname=200.41.233.234 addr=200.41.233.234 terminal=ssh res=failed'
----
time->Wed Sep 26 11:26:40 2012
type=SYSCALL msg=audit(1348673200.571:41894): arch=c000003e syscall=42 success=no exit=-13 a0=4 a1=7fff646fb4a0 a2=6e a3=10 items=0 ppid=1 pid=5461 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=4294967295 comm="login" exe="/bin/login" subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1348673200.571:41894): avc: denied { connectto } for pid=5461 comm="login" path="/var/lib/pbis/.lsassd" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket
----
time->Tue Sep 25 11:37:30 2012
type=CRYPTO_KEY_USER msg=audit(1348587450.248:41898): user pid=1180 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=b7:64:36:27:ac:a7:44:8f:7d:36:46:99:bc:9c:52:05 direction=? spid=1180 suid=0 exe="/usr/sbin/sshd" hostname=? addr=200.41.233.234 terminal=? res=success'
----
time->Wed Sep 26 11:26:40 2012
type=SYSCALL msg=audit(1348673200.663:41898): arch=c000003e syscall=42 success=no exit=-13 a0=5 a1=7fff646fb6b0 a2=6e a3=10 items=0 ppid=1 pid=5461 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=1 comm="login" exe="/bin/login" subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1348673200.663:41898): avc: denied { connectto } for pid=5461 comm="login" path="/var/lib/pbis/.lsassd" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket
----
time->Tue Sep 25 11:37:30 2012
type=CRYPTO_KEY_USER msg=audit(1348587450.698:41900): user pid=1183 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=33:f9:2a:81:e0:86:b0:4b:49:b3:f1:3e:53:7c:25:c2 direction=? spid=1183 suid=0 exe="/usr/sbin/sshd" hostname=? addr=200.41.233.234 terminal=? res=success'
----
time->Wed Sep 26 11:26:40 2012
type=SYSCALL msg=audit(1348673200.758:41900): arch=c000003e syscall=42 success=no exit=-13 a0=6 a1=7fff646fb6b0 a2=6e a3=10 items=0 ppid=1 pid=5461 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=1 comm="login" exe="/bin/login" subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1348673200.758:41900): avc: denied { connectto } for pid=5461 comm="login" path="/var/lib/pbis/.lsassd" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket
----
time->Tue Sep 25 11:37:30 2012
type=CRYPTO_SESSION msg=audit(1348587450.917:41903): user pid=1182 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=start direction=from-server cipher=aes128-cbc ksize=128 spid=1183 suid=74 rport=59691 laddr=50.195.21.250 lport=22 exe="/usr/sbin/sshd" hostname=? addr=200.41.233.234 terminal=? res=success'
----
time->Wed Sep 26 11:27:07 2012
type=SYSCALL msg=audit(1348673227.563:41903): arch=c000003e syscall=42 success=no exit=-13 a0=0 a1=7fff646fb6b0 a2=6e a3=10 items=0 ppid=1 pid=5461 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="login" exe="/bin/login" subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1348673227.563:41903): avc: denied { connectto } for pid=5461 comm="login" path="/var/lib/pbis/.lsassd" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket
----
time->Tue Sep 25 11:37:33 2012
type=USER_AUTH msg=audit(1348587453.686:41905): user pid=1182 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:authentication acct="?" exe="/usr/sbin/sshd" hostname=200.41.233.234 addr=200.41.233.234 terminal=ssh res=failed'
----
time->Wed Sep 26 11:27:07 2012
type=SYSCALL msg=audit(1348673227.566:41905): arch=c000003e syscall=42 success=no exit=-13 a0=1 a1=7fff646fb6c0 a2=6e a3=10 items=0 ppid=1 pid=5461 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="login" exe="/bin/login" subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1348673227.566:41905): avc: denied { connectto } for pid=5461 comm="login" path="/var/lib/pbis/.lsassd" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket
----
time->Tue Sep 25 11:37:33 2012
type=CRYPTO_KEY_USER msg=audit(1348587453.910:41908): user pid=1182 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=33:f9:2a:81:e0:86:b0:4b:49:b3:f1:3e:53:7c:25:c2 direction=? spid=1182 suid=0 exe="/usr/sbin/sshd" hostname=? addr=200.41.233.234 terminal=? res=success'
----
time->Wed Sep 26 11:27:12 2012
type=SYSCALL msg=audit(1348673232.430:41908): arch=c000003e syscall=42 success=no exit=-13 a0=4 a1=7fffd7fa0ed0 a2=6e a3=10 items=0 ppid=1 pid=5614 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=4294967295 comm="login" exe="/bin/login" subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1348673232.430:41908): avc: denied { connectto } for pid=5614 comm="login" path="/var/lib/pbis/.lsassd" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket
----
time->Tue Sep 25 11:37:33 2012
type=CRYPTO_KEY_USER msg=audit(1348587453.909:41907): user pid=1182 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=session fp=? direction=both spid=1183 suid=74 rport=59691 laddr=50.195.21.250 lport=22 exe="/usr/sbin/sshd" hostname=? addr=200.41.233.234 terminal=? res=success'
----
time->Wed Sep 26 11:27:12 2012
type=SYSCALL msg=audit(1348673232.408:41907): arch=c000003e syscall=42 success=no exit=-13 a0=3 a1=7fffd7fa0bb0 a2=6e a3=10 items=0 ppid=1 pid=5614 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=4294967295 comm="login" exe="/bin/login" subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1348673232.408:41907): avc: denied { connectto } for pid=5614 comm="login" path="/var/lib/pbis/.lsassd" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket
----
time->Tue Sep 25 11:37:33 2012
type=USER_LOGIN msg=audit(1348587453.911:41910): user pid=1182 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login acct=28696E76616C6964207573657229 exe="/usr/sbin/sshd" hostname=? addr=200.41.233.234 terminal=ssh res=failed'
----
time->Wed Sep 26 11:27:18 2012
type=SYSCALL msg=audit(1348673238.454:41910): arch=c000003e syscall=42 success=no exit=-13 a0=4 a1=7fffd7fa0d50 a2=6e a3=10 items=0 ppid=1 pid=5614 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=4294967295 comm="login" exe="/bin/login" subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1348673238.454:41910): avc: denied { connectto } for pid=5614 comm="login" path="/var/lib/pbis/.lsassd" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket
----
time->Tue Sep 25 11:37:33 2012
type=CRYPTO_KEY_USER msg=audit(1348587453.910:41909): user pid=1182 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=b7:64:36:27:ac:a7:44:8f:7d:36:46:99:bc:9c:52:05 direction=? spid=1182 suid=0 exe="/usr/sbin/sshd" hostname=? addr=200.41.233.234 terminal=? res=success'
----
time->Wed Sep 26 11:27:18 2012
type=SYSCALL msg=audit(1348673238.454:41909): arch=c000003e syscall=42 success=no exit=-13 a0=4 a1=7fffd7fa0dc0 a2=6e a3=10 items=0 ppid=1 pid=5614 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=4294967295 comm="login" exe="/bin/login" subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1348673238.454:41909): avc: denied { connectto } for pid=5614 comm="login" path="/var/lib/pbis/.lsassd" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket
----
time->Tue Sep 25 11:37:34 2012
type=CRYPTO_KEY_USER msg=audit(1348587454.347:41911): user pid=1185 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=33:f9:2a:81:e0:86:b0:4b:49:b3:f1:3e:53:7c:25:c2 direction=? spid=1185 suid=0 exe="/usr/sbin/sshd" hostname=? addr=200.41.233.234 terminal=? res=success'
----
time->Wed Sep 26 11:27:18 2012
type=SYSCALL msg=audit(1348673238.455:41911): arch=c000003e syscall=42 success=no exit=-13 a0=5 a1=7fffd7fa0e10 a2=6e a3=10 items=0 ppid=1 pid=5614 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=4294967295 comm="login" exe="/bin/login" subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1348673238.455:41911): avc: denied { connectto } for pid=5614 comm="login" path="/var/lib/pbis/.lsassd" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket
----
time->Tue Sep 25 11:37:34 2012
type=CRYPTO_SESSION msg=audit(1348587454.560:41913): user pid=1184 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=start direction=from-client cipher=aes128-cbc ksize=128 spid=1185 suid=74 rport=59979 laddr=50.195.21.250 lport=22 exe="/usr/sbin/sshd" hostname=? addr=200.41.233.234 terminal=? res=success'
----
time->Wed Sep 26 11:27:20 2012
type=SYSCALL msg=audit(1348673240.815:41913): arch=c000003e syscall=42 success=no exit=-13 a0=6 a1=7fffd7fa0f10 a2=6e a3=10 items=0 ppid=1 pid=5614 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=4294967295 comm="login" exe="/bin/login" subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1348673240.815:41913): avc: denied { connectto } for pid=5614 comm="login" path="/var/lib/pbis/.lsassd" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket
----
time->Tue Sep 25 11:37:37 2012
type=USER_AUTH msg=audit(1348587457.273:41915): user pid=1184 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:authentication acct="root" exe="/usr/sbin/sshd" hostname=200.41.233.234 addr=200.41.233.234 terminal=ssh res=failed'
----
time->Wed Sep 26 11:27:26 2012
type=SYSCALL msg=audit(1348673246.681:41915): arch=c000003e syscall=42 success=no exit=-13 a0=5 a1=7fffd7fa0ed0 a2=6e a3=10 items=0 ppid=1 pid=5614 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=4294967295 comm="login" exe="/bin/login" subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1348673246.681:41915): avc: denied { connectto } for pid=5614 comm="login" path="/var/lib/pbis/.lsassd" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket
----
time->Tue Sep 25 11:37:37 2012
type=CRYPTO_KEY_USER msg=audit(1348587457.485:41917): user pid=1184 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=session fp=? direction=both spid=1185 suid=74 rport=59979 laddr=50.195.21.250 lport=22 exe="/usr/sbin/sshd" hostname=? addr=200.41.233.234 terminal=? res=success'
----
time->Wed Sep 26 11:27:33 2012
type=SYSCALL msg=audit(1348673253.135:41917): arch=c000003e syscall=42 success=no exit=-13 a0=5 a1=7fffd7fa0d50 a2=6e a3=10 items=0 ppid=1 pid=5614 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=4294967295 comm="login" exe="/bin/login" subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1348673253.135:41917): avc: denied { connectto } for pid=5614 comm="login" path="/var/lib/pbis/.lsassd" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket
----
time->Tue Sep 25 11:37:37 2012
type=CRYPTO_KEY_USER msg=audit(1348587457.487:41918): user pid=1184 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=33:f9:2a:81:e0:86:b0:4b:49:b3:f1:3e:53:7c:25:c2 direction=? spid=1184 suid=0 exe="/usr/sbin/sshd" hostname=? addr=200.41.233.234 terminal=? res=success'
----
time->Wed Sep 26 11:27:33 2012
type=SYSCALL msg=audit(1348673253.135:41918): arch=c000003e syscall=42 success=no exit=-13 a0=5 a1=7fffd7fa0d50 a2=6e a3=10 items=0 ppid=1 pid=5614 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=4294967295 comm="login" exe="/bin/login" subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1348673253.135:41918): avc: denied { connectto } for pid=5614 comm="login" path="/var/lib/pbis/.lsassd" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket
----
time->Tue Sep 25 11:37:37 2012
type=CRYPTO_KEY_USER msg=audit(1348587457.937:41922): user pid=1188 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=b7:64:36:27:ac:a7:44:8f:7d:36:46:99:bc:9c:52:05 direction=? spid=1188 suid=0 exe="/usr/sbin/sshd" hostname=? addr=200.41.233.234 terminal=? res=success'
----
time->Wed Sep 26 11:27:33 2012
type=SYSCALL msg=audit(1348673253.189:41922): arch=c000003e syscall=42 success=no exit=-13 a0=5 a1=7fffd7fa0f60 a2=6e a3=10 items=0 ppid=1 pid=5614 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=2 comm="login" exe="/bin/login" subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1348673253.189:41922): avc: denied { connectto } for pid=5614 comm="login" path="/var/lib/pbis/.lsassd" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket


The output of the audit2allow command came back as:

Code: Select all
#============= local_login_t ==============
allow local_login_t initrc_t:unix_stream_socket connectto;

#============= postfix_cleanup_t ==============
allow postfix_cleanup_t var_lib_t:sock_file write;

#============= postfix_master_t ==============
allow postfix_master_t var_lib_t:sock_file write;

#============= postfix_smtp_t ==============
allow postfix_smtp_t var_lib_t:sock_file write;


Is there a command I can run to see if my module was installed correctly, and is working the way it should?
littlefixit
 
Posts: 9
Joined: 2012/09/25 21:07:16
Location: New England

Re: PBIS/Likewise Open requires disabling SELinux

Postby TrevorH » 2012/09/26 20:02:40

While you are debugging this issue, you should leave selinux in permissive mode so that it does not deny anything. The denials will be logged but they won't actually be denied.

Also, when you pipe the audit log output into audit2allow I would pass it through grep -v postfix and grep -v ssh on the way so that it doesn't include those extraneous items.

I'd add this bit to the existing policy file you have at the moment and re-run the steps to install it

Code: Select all
#============= local_login_t ==============
allow local_login_t initrc_t:unix_stream_socket connectto;


You may need to either uninstall the existing one before you can load the new one or, possibly, increment the version number at the top of the file before you build it.
User avatar
TrevorH
Forum Moderator
 
Posts: 9116
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: PBIS/Likewise Open requires disabling SELinux

Postby littlefixit » 2012/09/26 20:26:20

Sorry to bother you with what may turn out to be a simple question, but when I try to add both lines to the newly updated policy, I get an error message. First, I removed the existing policy by running the `semodule -r likewise.pp` command. It hung for a moment (Working, I assume) and then came back without any errors, so I went on to step two. I modified the policy from the example you posted above to the following, adding the one line you added in your last post:

Code: Select all
module likewise 1.1;

require {
        type local_login_t;
        type var_lib_t;
        class sock_file write;
}

#============= local_login_t ==============
allow local_login_t var_lib_t:sock_file write;
allow local_login_t initrc_t:unix_stream_socket connectto;


And the error I get when I attempt to run `checkmodule -M -m -o likewise.mod likewise.te` is:
Code: Select all
checkmodule:  loading policy configuration from likewise.te
likewise.te:11:ERROR 'unknown type initrc_t' at token ';' on line 11:
allow local_login_t initrc_t:unix_stream_socket connectto;
allow local_login_t var_lib_t:sock_file write;
checkmodule:  error(s) encountered while parsing configuration


I can only assume this either means I am not supposed to have two 'allow' statements, or my syntax is incorrect, but I didn't want to remove the old one without having an expert look at it so I wouldn't create an obscure problem that would trip me up down the road...
littlefixit
 
Posts: 9
Joined: 2012/09/25 21:07:16
Location: New England

Re: PBIS/Likewise Open requires disabling SELinux

Postby TrevorH » 2012/09/26 21:05:37

I think you need to amend it to read (guesswork!)

Code: Select all
module likewise 1.1;

require {
        type local_login_t;
        type var_lib_t;
        type initrc_t;
        class sock_file write;
        class unix_stream_socket connectto;
}

#============= local_login_t ==============
allow local_login_t var_lib_t:sock_file write;
allow local_login_t initrc_t:unix_stream_socket connectto;
User avatar
TrevorH
Forum Moderator
 
Posts: 9116
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Next

Return to CentOS 6 - Security Support

Who is online

Users browsing this forum: No registered users and 2 guests