Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Fedora SELinux Support (http://www.linux-archive.org/fedora-selinux-support/)
-   -   Got things working, but not sure how (http://www.linux-archive.org/fedora-selinux-support/335512-got-things-working-but-not-sure-how.html)

"Scott Salley" 03-03-2010 10:10 PM

Got things working, but not sure how
 
I’d like to thank the mailing list inhabitants for all
the help you’ve given me. So, Thanks!


*


I modified the targeted policy for Fedora 12 and got Likewise
Open to install, join Active Directory, and allow users to authenticate without
any problems! The problem is, I’m not quite sure what some of the rules
do and whether they are necessary.


*


For example, I patched the authentication daemon (lsassd) to
properly set up the user’s home directory and I’m using *matchpathcon(3)
and setfilecon(3). At first, matchpathcon would fail but I could find *no*
messages indicating a problem. I finally copied a block of rules from another
policy and that worked.


*


The rules I copied are:


selinux_get_fs_mount(lsassd_t)


selinux_validate_context(lsassd_t)


selinux_compute_access_vector(lsassd_t)


selinux_compute_create_context(lsassd_t)


selinux_compute_relabel_context(lsassd_t)


selinux_compute_user_contexts(lsassd_t)


*


Now I could try things one by one and see what works and
what doesn’t, but I have some other rule blocks where I have the same
type of problem and then a combinatorial explosion gets involved. I have also
tried looking things up online, but pages like this (http://www.softeh.ro/doc/selinux-policy-2.2.23/html/kernel_selinux.html)
did not really help me for many of the rules.


*


What have I missed? Is there another level of logging I
could turn on somewhere?







--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Stephen Smalley 03-04-2010 12:12 PM

Got things working, but not sure how
 
On Wed, 2010-03-03 at 18:10 -0500, Scott Salley wrote:
> I’d like to thank the mailing list inhabitants for all the help you’ve
> given me. So, Thanks!
>
>
>
> I modified the targeted policy for Fedora 12 and got Likewise Open to
> install, join Active Directory, and allow users to authenticate
> without any problems! The problem is, I’m not quite sure what some of
> the rules do and whether they are necessary.
>
>
>
> For example, I patched the authentication daemon (lsassd) to properly
> set up the user’s home directory and I’m using matchpathcon(3) and
> setfilecon(3). At first, matchpathcon would fail but I could find *no*
> messages indicating a problem.

Use semodule -DB, as described in:
http://docs.fedoraproject.org/selinux-user-guide/f12/en-US/sect-Security-Enhanced_Linux-Fixing_Problems-Possible_Causes_of_Silent_Denials.html
And later revert with semodule -B.

> I finally copied a block of rules from another policy and that
> worked.
>
>
>
> The rules I copied are:
>
> selinux_get_fs_mount(lsassd_t)
>
> selinux_validate_context(lsassd_t)
>
> selinux_compute_access_vector(lsassd_t)
>
> selinux_compute_create_context(lsassd_t)
>
> selinux_compute_relabel_context(lsassd_t)
>
> selinux_compute_user_contexts(lsassd_t)

I don't think you need any of the selinux_compute_* interfaces.

> Now I could try things one by one and see what works and what doesn’t,
> but I have some other rule blocks where I have the same type of
> problem and then a combinatorial explosion gets involved. I have also
> tried looking things up online, but pages like this
> (http://www.softeh.ro/doc/selinux-policy-2.2.23/html/kernel_selinux.html) did not really help me for many of the rules.
>
>
>
> What have I missed? Is there another level of logging I could turn on
> somewhere?

Yes, semodule -DB.

--
Stephen Smalley
National Security Agency

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux


All times are GMT. The time now is 04:56 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.