[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: making a file context change work for initrc_t and unconfined_t




On Feb 1, 2012, at 11:50 AM, Daniel J Walsh wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/01/2012 11:37 AM, Maria Iano wrote:

On Feb 1, 2012, at 11:30 AM, Daniel J Walsh wrote:

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

On 01/31/2012 05:33 PM, Maria Iano wrote:
I have a RHEL 6.2 server running LikewiseOpen. It appears to
me that I will take care of a large number of denials if I can
change the type of /var/lib/likewise/.lsassd to be
lsassd_var_socket_t.

I added the file context rule with semanage, and used
restorecon to change it to lsassd_var_socket_t as desired. But
later I found that /var/lib/likewise/.lsassd had type var_lib_t
again. I assume that is because the likewise processes run as
initrc_t.

I'd like to change the policy and tell it that services running
in either initrc_t or unconfined_t domains should create the
file /var/lib/likewise/.lsassd with type lsassd_var_socket_t.
(A command line tool lwsm for managing the processes runs in
unconfined_t so I'd like to include that domain to be safe. )
How can I go about doing that in RHEL 6 (or can I)?

Thanks, Maria -- selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux

What label do you have on /var/lib/likewise?

system_u:object_r:var_lib_t:s0
In that case why not just label it lsassd_var_lib_t

Currently the labeling is

/var/lib/likewise-open(/.*)?
gen_context(system_u:object_r:likewise_var_lib_t,s0)


If you label it similar, then you have a step in the right direction.

I am not sure who wrote policy for the likewise domain, but I think I
would eliminate all of the different labels.  But I guess that is the
way it is.

If unconfined_t is creating a socket in the directory then I guess it
would be listening on the socket, but other domains would not be
allowed to communicate.

One potential option if you got all of the labeling correct would be
to use restorecond.


I actually had somehow not noticed those file contexts for the likewise-open directories, thank you. I added all of the file contexts for likewise (which involved replacing likewise-open with likewise to match my system). I also turned on the restorecond service. When restorecond is not running the file /var/lib/likewise/.lsassd does get relabeled incorrectly but now that restorecond is running it's being fixed immediately. Thank you!

--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux



[Fedora Users]     [Fedora Legacy]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite Photos]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

Powered by Linux

Google
  Web www.spinics.net