selinux denials and how to create your own module

Solution Unverified - Updated -

Issue

  • cgconfig refuses to start with users from NIS

When we have a NIS user in /etc/cgconfig.conf, the cgconfig service refuses to start. This happens after after the ypbind service starts.

However, "/sbin/cgconfigparser -l /etc/cgconfig.conf" seems to work fine.

After checking the strace output found in /tmp/strace-cgconfigparser-from-initscript.out, it looks like SELinux is blocking access:

from the strace output:

3455  open("/var/yp/binding/<a class="make_room_for_kcs" href="http://osglab.com" target="_blank">osglab.com</a>.2", O_RDONLY) = -1 EACCES (Permission denied)
3455  socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = -1 EACCES (Permission denied)
3455  socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = -1 EACCES (Permission denied)

/var/log/audit/audit.log:

type=SYSCALL msg=audit(1331784129.364:91068): arch=c000003e syscall=41 success=no exit=-13 a0=2 a1=1 a2=6 a3=98 items=0 ppid=3723 pid=3724 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=4 comm="cgconfigparser" exe="/sbin/cgconfigparser" subj=unconfined_u:system_r:cgconfig_t:s0 key=(null)
type=AVC msg=audit(1331784129.364:91069): avc:  denied  { create } for  pid=3724 comm="cgconfigparser" scontext=unconfined_u:system_r:cgconfig_t:s0 tcontext=unconfined_u:system_r:cgconfig_t:s0 tclass=tcp_socket

Environment

  • Red Hat Enterprise Linux 6.2

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In
Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.