On Sat, Feb 23, 2013 at 05:59:28PM -0500, Ben P. wrote:
> > > avc: denied { search } for pid=1084 comm="unix_chkpwd" name="/"
> > > dev="sysfs" ino=1 scontext=system_u:system_r:chkpwd_t
> > > tcontext=system_u:object_r:sysfs_t tclass=dir
> > > avc: denied { getattr } for pid=1084 comm="unix_chkpwd" name="/"
> > > dev="selinuxfs" ino=1 scontext=system_u:system_r:chkpwd_t
> > > tcontext=system_u:object_r:security_t tclass=filesystem
> > > avc: denied { getattr } for pid=1084 comm="unix_chkpwd"
> > > path="/sys/fs/selinux" dev="selinuxfs" ino=1
> > > scontext=system_u:system_r:chkpwd_t tcontext=system_u:object_r:security_t
>
> 2.) Plays with the file contexts a bit. It tries to keep the correct file
> contexts correct on /etc/passwd and /etc/shadow (I think). So it has to read
> the correct contexts from selinux? (calls setfscreatecon() and
> getfscreatecon() )
Makes sense; if unix_chkpwd is SELinux-aware, it probably wants to read some
files in the SELinux file system, which is under /sys (thus the search
privileges on sysfs_t directories).
The filesystem one however (getattr on security_t filesystem) is not clear
to me (I find the "filesystem" class difficult to grasp). I *think* that
getattr on filesystem classes is something like getting the mount options of
a file system?
Alas, http://www.selinuxproject.org/page/ObjectClassesPerms#filesystem isn't
clear on this :-(
> Still lots to learn I guess
Same here :-/
Wkr,
Sven Vermeulen
