selinux denials and how to create your own module
Issue
- cgconfig refuses to start with users from NIS
When we have a NIS user in /etc/cgconfig.conf, the cgconfig service refuses to start. This happens after after the ypbind service starts.
However, "/sbin/cgconfigparser -l /etc/cgconfig.conf" seems to work fine.
After checking the strace output found in /tmp/strace-cgconfigparser-from-initscript.out, it looks like SELinux is blocking access:
from the strace output:
3455 open("/var/yp/binding/<a class="make_room_for_kcs" href="http://osglab.com" target="_blank">osglab.com</a>.2", O_RDONLY) = -1 EACCES (Permission denied)
3455 socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = -1 EACCES (Permission denied)
3455 socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = -1 EACCES (Permission denied)
/var/log/audit/audit.log:
type=SYSCALL msg=audit(1331784129.364:91068): arch=c000003e syscall=41 success=no exit=-13 a0=2 a1=1 a2=6 a3=98 items=0 ppid=3723 pid=3724 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=4 comm="cgconfigparser" exe="/sbin/cgconfigparser" subj=unconfined_u:system_r:cgconfig_t:s0 key=(null)
type=AVC msg=audit(1331784129.364:91069): avc: denied { create } for pid=3724 comm="cgconfigparser" scontext=unconfined_u:system_r:cgconfig_t:s0 tcontext=unconfined_u:system_r:cgconfig_t:s0 tclass=tcp_socket
Environment
- Red Hat Enterprise Linux 6.2
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.
