Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Fedora SELinux Support (http://www.linux-archive.org/fedora-selinux-support/)
-   -   Likewise sometimes installs in "likewise" and sometimes "likewise-open" Various fixes: https://lists.fedoraproject.org/pipermail/selinux/2012-January/014333.html (http://www.linux-archive.org/fedora-selinux-support/628830-likewise-sometimes-installs-likewise-sometimes-likewise-open-various-fixes-https-lists-fedoraproject-org-pipermail-selinux-2012-january-014333-html.html)

Dominick Grift 02-04-2012 07:51 AM
Likewise sometimes installs in "likewise" and sometimes "likewise-open" Various fixes: https://lists.fedoraproject.org/pipermail/selinux/2012-January/014333.html
 
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>

diff --git a/policy/modules/services/likewise.fc b/policy/modules/services/likewise.fc
index 057a4e4..524faf1 100644
--- a/policy/modules/services/likewise.fc
+++ b/policy/modules/services/likewise.fc
@@ -11,6 +11,15 @@
/etc/rc.d/init.d/netlogond -- gen_context(system_u:object_r:likewise_initrc_exec _t,s0)
/etc/rc.d/init.d/srvsvcd -- gen_context(system_u:object_r:likewise_initrc_exec _t,s0)

+/opt/likewise(-open)?/sbin/dcerpcd -- gen_context(system_u:object_r:dcerpcd_exec_t,s0)
+/opt/likewise(-open)?/sbin/eventlogd -- gen_context(system_u:object_r:eventlogd_exec_t,s0)
+/opt/likewise(-open)?/sbin/lsassd -- gen_context(system_u:object_r:lsassd_exec_t,s0)
+/opt/likewise(-open)?/sbin/lwiod -- gen_context(system_u:object_r:lwiod_exec_t,s0)
+/opt/likewise(-open)?/sbin/lwregd -- gen_context(system_u:object_r:lwregd_exec_t,s0)
+/opt/likewise(-open)?/sbin/lwsmd -- gen_context(system_u:object_r:lwsmd_exec_t,s0)
+/opt/likewise(-open)?/sbin/netlogond -- gen_context(system_u:object_r:netlogond_exec_t,s0)
+/opt/likewise(-open)?/sbin/srvsvcd -- gen_context(system_u:object_r:srvsvcd_exec_t,s0)
+
/usr/sbin/dcerpcd -- gen_context(system_u:object_r:dcerpcd_exec_t,s0)
/usr/sbin/eventlogd -- gen_context(system_u:object_r:eventlogd_exec_t,s0)
/usr/sbin/lsassd -- gen_context(system_u:object_r:lsassd_exec_t,s0)
@@ -20,30 +29,34 @@
/usr/sbin/netlogond -- gen_context(system_u:object_r:netlogond_exec_t,s0)
/usr/sbin/srvsvcd -- gen_context(system_u:object_r:srvsvcd_exec_t,s0)

-/var/lib/likewise-open(/.*)? gen_context(system_u:object_r:likewise_var_lib_t,s 0)
-/var/lib/likewise-open/.lsassd -s gen_context(system_u:object_r:lsassd_var_socket_t, s0)
-/var/lib/likewise-open/.lwiod -s gen_context(system_u:object_r:lwiod_var_socket_t,s 0)
-/var/lib/likewise-open/.regsd -s gen_context(system_u:object_r:lwregd_var_socket_t, s0)
-/var/lib/likewise-open/.lwsm -s gen_context(system_u:object_r:lwsmd_var_socket_t,s 0)
-/var/lib/likewise-open/.netlogond -s gen_context(system_u:object_r:netlogond_var_socket _t,s0)
-/var/lib/likewise-open/.ntlmd -s gen_context(system_u:object_r:lsassd_var_socket_t, s0)
-/var/lib/likewise-open/krb5-affinity.conf -- gen_context(system_u:object_r:netlogond_var_lib_t, s0)
-/var/lib/likewise-open/krb5ccr_lsass -- gen_context(system_u:object_r:lsassd_var_lib_t, s0)
-/var/lib/likewise-open/LWNetsd.err -- gen_context(system_u:object_r:netlogond_var_lib_t, s0)
-/var/lib/likewise-open/lsasd.err -- gen_context(system_u:object_r:lsassd_var_lib_t,s0)
-/var/lib/likewise-open/regsd.err -- gen_context(system_u:object_r:lwregd_var_lib_t,s0)
-/var/lib/likewise-open/db -d gen_context(system_u:object_r:likewise_var_lib_t,s 0)
-/var/lib/likewise-open/db/lwi_events.db -- gen_context(system_u:object_r:eventlogd_var_lib_t, s0)
-/var/lib/likewise-open/db/sam.db -- gen_context(system_u:object_r:lsassd_var_lib_t,s0)
-/var/lib/likewise-open/db/lsass-adcache.db -- gen_context(system_u:object_r:lsassd_var_lib_t,s0)
-/var/lib/likewise-open/db/lsass-adstate.filedb -- gen_context(system_u:object_r:lsassd_var_lib_t,s0)
-/var/lib/likewise-open/db/registry.db -- gen_context(system_u:object_r:lwregd_var_lib_t,s0)
-/var/lib/likewise-open/rpc -d gen_context(system_u:object_r:likewise_var_lib_t,s 0)
-/var/lib/likewise-open/rpc/epmapper -s gen_context(system_u:object_r:dcerpcd_var_socket_t , s0)
-/var/lib/likewise-open/rpc/lsass -s gen_context(system_u:object_r:lsassd_var_socket_t, s0)
-/var/lib/likewise-open/rpc/socket -s gen_context(system_u:object_r:eventlogd_var_socket _t, s0)
-/var/lib/likewise-open/run -d gen_context(system_u:object_r:likewise_var_lib_t,s 0)
-/var/lib/likewise-open/run/rpcdep.dat -- gen_context(system_u:object_r:dcerpcd_var_lib_t, s0)
+/var/lib/likewise(-open)?(/.*)? gen_context(system_u:object_r:likewise_var_lib_t,s 0)
+/var/lib/likewise(-open)?/.eventlog -s gen_context(system_u:object_r:eventlogd_var_socket _t,s0)
+/var/lib/likewise(-open)?/.lsassd -s gen_context(system_u:object_r:lsassd_var_socket_t, s0)
+/var/lib/likewise(-open)?/.lwiod -s gen_context(system_u:object_r:lwiod_var_socket_t,s 0)
+/var/lib/likewise(-open)?/.regsd -s gen_context(system_u:object_r:lwregd_var_socket_t, s0)
+/var/lib/likewise(-open)?/.lwsm -s gen_context(system_u:object_r:lwsmd_var_socket_t,s 0)
+/var/lib/likewise(-open)?/.lwsmd-lock -- gen_context(system_u:object_r:lwsmd_var_lib_t,s0)
+/var/lib/likewise(-open)?/.netlogond -s gen_context(system_u:object_r:netlogond_var_socket _t,s0)
+/var/lib/likewise(-open)?/.ntlmd -s gen_context(system_u:object_r:lsassd_var_socket_t, s0)
+/var/lib/likewise(-open)?/krb5-affinity.conf -- gen_context(system_u:object_r:netlogond_var_lib_t, s0)
+/var/lib/likewise(-open)?/krb5cc\_lsass..* -- gen_context(system_u:object_r:lsassd_var_lib_t, s0)
+/var/lib/likewise(-open)?/krb5ccr_lsass -- gen_context(system_u:object_r:lsassd_var_lib_t, s0)
+/var/lib/likewise(-open)?/LWNetsd.err -- gen_context(system_u:object_r:netlogond_var_lib_t, s0)
+/var/lib/likewise(-open)?/lsasd.err -- gen_context(system_u:object_r:lsassd_var_lib_t,s0)
+/var/lib/likewise(-open)?/regsd.err -- gen_context(system_u:object_r:lwregd_var_lib_t,s0)
+/var/lib/likewise(-open)?/db -d gen_context(system_u:object_r:likewise_var_lib_t,s 0)
+/var/lib/likewise(-open)?/db/lwi_events.db -- gen_context(system_u:object_r:eventlogd_var_lib_t, s0)
+/var/lib/likewise(-open)?/db/sam.db -- gen_context(system_u:object_r:lsassd_var_lib_t,s0)
+/var/lib/likewise(-open)?/db/lsass-adcache.filedb..* -- gen_context(system_u:object_r:lsassd_var_lib_t,s0)
+/var/lib/likewise(-open)?/db/lsass-adcache.db -- gen_context(system_u:object_r:lsassd_var_lib_t,s0)
+/var/lib/likewise(-open)?/db/lsass-adstate.filedb -- gen_context(system_u:object_r:lsassd_var_lib_t,s0)
+/var/lib/likewise(-open)?/db/registry.db -- gen_context(system_u:object_r:lwregd_var_lib_t,s0)
+/var/lib/likewise(-open)?/rpc -d gen_context(system_u:object_r:likewise_var_lib_t,s 0)
+/var/lib/likewise(-open)?/rpc/epmapper -s gen_context(system_u:object_r:dcerpcd_var_socket_t , s0)
+/var/lib/likewise(-open)?/rpc/lsass -s gen_context(system_u:object_r:lsassd_var_socket_t, s0)
+/var/lib/likewise(-open)?/rpc/socket -s gen_context(system_u:object_r:eventlogd_var_socket _t, s0)
+/var/lib/likewise(-open)?/run -d gen_context(system_u:object_r:likewise_var_lib_t,s 0)
+/var/lib/likewise(-open)?/run/rpcdep.dat -- gen_context(system_u:object_r:dcerpcd_var_lib_t, s0)

/var/run/eventlogd.pid -- gen_context(system_u:object_r:eventlogd_var_run_t, s0)
/var/run/lsassd.pid -- gen_context(system_u:object_r:lsassd_var_run_t,s0)
diff --git a/policy/modules/services/likewise.if b/policy/modules/services/likewise.if
index 81d98b3..a340496 100644
--- a/policy/modules/services/likewise.if
+++ b/policy/modules/services/likewise.if
@@ -74,6 +74,8 @@
manage_sock_files_pattern($1_t, likewise_var_lib_t, $1_var_socket_t)
filetrans_pattern($1_t, likewise_var_lib_t, $1_var_socket_t, sock_file)

+ kernel_read_system_state($1_t)
+
dev_read_rand($1_t)
dev_read_urand($1_t)

diff --git a/policy/modules/services/likewise.te b/policy/modules/services/likewise.te
index 18dc6e5..4a373fa 100644
--- a/policy/modules/services/likewise.te
+++ b/policy/modules/services/likewise.te
@@ -84,6 +84,10 @@
corenet_udp_sendrecv_generic_node(eventlogd_t)
corenet_udp_sendrecv_generic_port(eventlogd_t)

+corenet_tcp_connect_epmap_port(eventlogd_t)
+corenet_tcp_sendrecv_epmap_port(eventlogd_t)
+corenet_sendrecv_epmap_client_packets(eventlogd_t )
+
#################################
#
# Likewise Authentication service local policy
@@ -124,6 +128,7 @@
corenet_tcp_connect_epmap_port(lsassd_t)
corenet_tcp_sendrecv_epmap_port(lsassd_t)

+domain_dontaudit_search_all_domains_state(lsassd_ t)
domain_obj_id_change_exemption(lsassd_t)

files_manage_etc_files(lsassd_t)
@@ -155,14 +160,15 @@
# Likewise I/O service local policy
#

-allow lwiod_t self:capability { fowner chown fsetid dac_override };
+allow lwiod_t self:process setrlimit;
+allow lwiod_t self:capability { fowner chown fsetid dac_override sys_resource };
allow lwiod_t self:netlink_route_socket rw_netlink_socket_perms;

-allow lwiod_t likewise_krb5_ad_t:file read_file_perms;
-allow lwiod_t netlogond_var_lib_t:file read_file_perms;
+allow lwiod_t { likewise_krb5_ad_t netlogond_var_lib_t }:file read_file_perms;

stream_connect_pattern(lwiod_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_t)
stream_connect_pattern(lwiod_t, likewise_var_lib_t, lsassd_var_socket_t, lsassd_t)
+stream_connect_pattern(lwiod_t, likewise_var_lib_t, netlogond_var_socket_t, netlogond_t)

corenet_all_recvfrom_netlabel(lwiod_t)
corenet_all_recvfrom_unlabeled(lwiod_t)
@@ -187,8 +193,12 @@
# Likewise Service Manager service local policy
#

+allow lwsmd_t self:process setpgid;
+
allow lwsmd_t likewise_domains:process signal;

+allow lwsmd_t { likewise_krb5_ad_t netlogond_var_lib_t }:file read_file_perms;
+
domtrans_pattern(lwsmd_t, dcerpcd_exec_t, dcerpcd_t)
domtrans_pattern(lwsmd_t, eventlogd_exec_t, eventlogd_t)
domtrans_pattern(lwsmd_t, lsassd_exec_t, lsassd_t)
--=-F5sJ8rN6dNyDY01GPt7j
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: inline

LS0Kc2VsaW51eCBtYWlsaW5nIGxpc3QKc2VsaW51eEBsaXN0cy 5mZWRvcmFwcm9qZWN0Lm9yZwpo
dHRwczovL2FkbWluLmZlZG9yYXByb2plY3Qub3JnL21haWxtYW 4vbGlzdGluZm8vc2VsaW51eA==

--=-F5sJ8rN6dNyDY01GPt7j--

Dominick Grift 02-04-2012 05:03 PM
Likewise sometimes installs in "likewise" and sometimes "likewise-open" Various fixes: https://lists.fedoraproject.org/pipermail/selinux/2012-January/014333.html
 
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>

diff --git a/policy/modules/services/likewise.fc b/policy/modules/services/likewise.fc
index 057a4e4..438843f 100644
--- a/policy/modules/services/likewise.fc
+++ b/policy/modules/services/likewise.fc
@@ -10,6 +10,16 @@
/etc/rc.d/init.d/lwsmd -- gen_context(system_u:object_r:likewise_initrc_exec _t,s0)
/etc/rc.d/init.d/netlogond -- gen_context(system_u:object_r:likewise_initrc_exec _t,s0)
/etc/rc.d/init.d/srvsvcd -- gen_context(system_u:object_r:likewise_initrc_exec _t,s0)
+/etc/rc.d/init.d/likewise -- gen_context(system_u:object_r:likewise_initrc_exec _t,s0)
+
+/opt/likewise(-open)?/sbin/dcerpcd -- gen_context(system_u:object_r:dcerpcd_exec_t,s0)
+/opt/likewise(-open)?/sbin/eventlogd -- gen_context(system_u:object_r:eventlogd_exec_t,s0)
+/opt/likewise(-open)?/sbin/lsassd -- gen_context(system_u:object_r:lsassd_exec_t,s0)
+/opt/likewise(-open)?/sbin/lwiod -- gen_context(system_u:object_r:lwiod_exec_t,s0)
+/opt/likewise(-open)?/sbin/lwregd -- gen_context(system_u:object_r:lwregd_exec_t,s0)
+/opt/likewise(-open)?/sbin/lwsmd -- gen_context(system_u:object_r:lwsmd_exec_t,s0)
+/opt/likewise(-open)?/sbin/netlogond -- gen_context(system_u:object_r:netlogond_exec_t,s0)
+/opt/likewise(-open)?/sbin/srvsvcd -- gen_context(system_u:object_r:srvsvcd_exec_t,s0)

/usr/sbin/dcerpcd -- gen_context(system_u:object_r:dcerpcd_exec_t,s0)
/usr/sbin/eventlogd -- gen_context(system_u:object_r:eventlogd_exec_t,s0)
@@ -20,30 +30,35 @@
/usr/sbin/netlogond -- gen_context(system_u:object_r:netlogond_exec_t,s0)
/usr/sbin/srvsvcd -- gen_context(system_u:object_r:srvsvcd_exec_t,s0)

-/var/lib/likewise-open(/.*)? gen_context(system_u:object_r:likewise_var_lib_t,s 0)
-/var/lib/likewise-open/.lsassd -s gen_context(system_u:object_r:lsassd_var_socket_t, s0)
-/var/lib/likewise-open/.lwiod -s gen_context(system_u:object_r:lwiod_var_socket_t,s 0)
-/var/lib/likewise-open/.regsd -s gen_context(system_u:object_r:lwregd_var_socket_t, s0)
-/var/lib/likewise-open/.lwsm -s gen_context(system_u:object_r:lwsmd_var_socket_t,s 0)
-/var/lib/likewise-open/.netlogond -s gen_context(system_u:object_r:netlogond_var_socket _t,s0)
-/var/lib/likewise-open/.ntlmd -s gen_context(system_u:object_r:lsassd_var_socket_t, s0)
-/var/lib/likewise-open/krb5-affinity.conf -- gen_context(system_u:object_r:netlogond_var_lib_t, s0)
-/var/lib/likewise-open/krb5ccr_lsass -- gen_context(system_u:object_r:lsassd_var_lib_t, s0)
-/var/lib/likewise-open/LWNetsd.err -- gen_context(system_u:object_r:netlogond_var_lib_t, s0)
-/var/lib/likewise-open/lsasd.err -- gen_context(system_u:object_r:lsassd_var_lib_t,s0)
-/var/lib/likewise-open/regsd.err -- gen_context(system_u:object_r:lwregd_var_lib_t,s0)
-/var/lib/likewise-open/db -d gen_context(system_u:object_r:likewise_var_lib_t,s 0)
-/var/lib/likewise-open/db/lwi_events.db -- gen_context(system_u:object_r:eventlogd_var_lib_t, s0)
-/var/lib/likewise-open/db/sam.db -- gen_context(system_u:object_r:lsassd_var_lib_t,s0)
-/var/lib/likewise-open/db/lsass-adcache.db -- gen_context(system_u:object_r:lsassd_var_lib_t,s0)
-/var/lib/likewise-open/db/lsass-adstate.filedb -- gen_context(system_u:object_r:lsassd_var_lib_t,s0)
-/var/lib/likewise-open/db/registry.db -- gen_context(system_u:object_r:lwregd_var_lib_t,s0)
-/var/lib/likewise-open/rpc -d gen_context(system_u:object_r:likewise_var_lib_t,s 0)
-/var/lib/likewise-open/rpc/epmapper -s gen_context(system_u:object_r:dcerpcd_var_socket_t , s0)
-/var/lib/likewise-open/rpc/lsass -s gen_context(system_u:object_r:lsassd_var_socket_t, s0)
-/var/lib/likewise-open/rpc/socket -s gen_context(system_u:object_r:eventlogd_var_socket _t, s0)
-/var/lib/likewise-open/run -d gen_context(system_u:object_r:likewise_var_lib_t,s 0)
-/var/lib/likewise-open/run/rpcdep.dat -- gen_context(system_u:object_r:dcerpcd_var_lib_t, s0)
+/var/lib/likewise(-open)?(/.*)? gen_context(system_u:object_r:likewise_var_lib_t,s 0)
+/var/lib/likewise(-open)?/.eventlog -s gen_context(system_u:object_r:eventlogd_var_socket _t,s0)
+/var/lib/likewise(-open)?/.lsassd -s gen_context(system_u:object_r:lsassd_var_socket_t, s0)
+/var/lib/likewise(-open)?/.lwiod -s gen_context(system_u:object_r:lwiod_var_socket_t,s 0)
+/var/lib/likewise(-open)?/.regsd -s gen_context(system_u:object_r:lwregd_var_socket_t, s0)
+/var/lib/likewise(-open)?/.lwsm -s gen_context(system_u:object_r:lwsmd_var_socket_t,s 0)
+/var/lib/likewise(-open)?/.lwsmd-lock -- gen_context(system_u:object_r:lwsmd_var_lib_t,s0)
+/var/lib/likewise(-open)?/.netlogond -s gen_context(system_u:object_r:netlogond_var_socket _t,s0)
+/var/lib/likewise(-open)?/.ntlmd -s gen_context(system_u:object_r:lsassd_var_socket_t, s0)
+/var/lib/likewise(-open)?/.pstore.lock -- gen_context(system_u:object_r:likewise_pstore_lock _t,s0)
+/var/lib/likewise(-open)?/krb5-affinity.conf -- gen_context(system_u:object_r:netlogond_var_lib_t, s0)
+/var/lib/likewise(-open)?/krb5cc\_lsass..* -- gen_context(system_u:object_r:lsassd_var_lib_t, s0)
+/var/lib/likewise(-open)?/krb5ccr_lsass -- gen_context(system_u:object_r:lsassd_var_lib_t, s0)
+/var/lib/likewise(-open)?/LWNetsd.err -- gen_context(system_u:object_r:netlogond_var_lib_t, s0)
+/var/lib/likewise(-open)?/lsasd.err -- gen_context(system_u:object_r:lsassd_var_lib_t,s0)
+/var/lib/likewise(-open)?/regsd.err -- gen_context(system_u:object_r:lwregd_var_lib_t,s0)
+/var/lib/likewise(-open)?/db -d gen_context(system_u:object_r:likewise_var_lib_t,s 0)
+/var/lib/likewise(-open)?/db/lwi_events.db -- gen_context(system_u:object_r:eventlogd_var_lib_t, s0)
+/var/lib/likewise(-open)?/db/sam.db -- gen_context(system_u:object_r:lsassd_var_lib_t,s0)
+/var/lib/likewise(-open)?/db/lsass-adcache.filedb..* -- gen_context(system_u:object_r:lsassd_var_lib_t,s0)
+/var/lib/likewise(-open)?/db/lsass-adcache.db -- gen_context(system_u:object_r:lsassd_var_lib_t,s0)
+/var/lib/likewise(-open)?/db/lsass-adstate.filedb -- gen_context(system_u:object_r:lsassd_var_lib_t,s0)
+/var/lib/likewise(-open)?/db/registry.db -- gen_context(system_u:object_r:lwregd_var_lib_t,s0)
+/var/lib/likewise(-open)?/rpc -d gen_context(system_u:object_r:likewise_var_lib_t,s 0)
+/var/lib/likewise(-open)?/rpc/epmapper -s gen_context(system_u:object_r:dcerpcd_var_socket_t , s0)
+/var/lib/likewise(-open)?/rpc/lsass -s gen_context(system_u:object_r:lsassd_var_socket_t, s0)
+/var/lib/likewise(-open)?/rpc/socket -s gen_context(system_u:object_r:eventlogd_var_socket _t, s0)
+/var/lib/likewise(-open)?/run -d gen_context(system_u:object_r:likewise_var_lib_t,s 0)
+/var/lib/likewise(-open)?/run/rpcdep.dat -- gen_context(system_u:object_r:dcerpcd_var_lib_t, s0)

/var/run/eventlogd.pid -- gen_context(system_u:object_r:eventlogd_var_run_t, s0)
/var/run/lsassd.pid -- gen_context(system_u:object_r:lsassd_var_run_t,s0)
diff --git a/policy/modules/services/likewise.if b/policy/modules/services/likewise.if
index 81d98b3..a340496 100644
--- a/policy/modules/services/likewise.if
+++ b/policy/modules/services/likewise.if
@@ -74,6 +74,8 @@
manage_sock_files_pattern($1_t, likewise_var_lib_t, $1_var_socket_t)
filetrans_pattern($1_t, likewise_var_lib_t, $1_var_socket_t, sock_file)

+ kernel_read_system_state($1_t)
+
dev_read_rand($1_t)
dev_read_urand($1_t)

diff --git a/policy/modules/services/likewise.te b/policy/modules/services/likewise.te
index 18dc6e5..4a373fa 100644
--- a/policy/modules/services/likewise.te
+++ b/policy/modules/services/likewise.te
@@ -84,6 +84,10 @@
corenet_udp_sendrecv_generic_node(eventlogd_t)
corenet_udp_sendrecv_generic_port(eventlogd_t)

+corenet_tcp_connect_epmap_port(eventlogd_t)
+corenet_tcp_sendrecv_epmap_port(eventlogd_t)
+corenet_sendrecv_epmap_client_packets(eventlogd_t )
+
#################################
#
# Likewise Authentication service local policy
@@ -124,6 +128,7 @@
corenet_tcp_connect_epmap_port(lsassd_t)
corenet_tcp_sendrecv_epmap_port(lsassd_t)

+domain_dontaudit_search_all_domains_state(lsassd_ t)
domain_obj_id_change_exemption(lsassd_t)

files_manage_etc_files(lsassd_t)
@@ -155,14 +160,15 @@
# Likewise I/O service local policy
#

-allow lwiod_t self:capability { fowner chown fsetid dac_override };
+allow lwiod_t self:process setrlimit;
+allow lwiod_t self:capability { fowner chown fsetid dac_override sys_resource };
allow lwiod_t self:netlink_route_socket rw_netlink_socket_perms;

-allow lwiod_t likewise_krb5_ad_t:file read_file_perms;
-allow lwiod_t netlogond_var_lib_t:file read_file_perms;
+allow lwiod_t { likewise_krb5_ad_t netlogond_var_lib_t }:file read_file_perms;

stream_connect_pattern(lwiod_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_t)
stream_connect_pattern(lwiod_t, likewise_var_lib_t, lsassd_var_socket_t, lsassd_t)
+stream_connect_pattern(lwiod_t, likewise_var_lib_t, netlogond_var_socket_t, netlogond_t)

corenet_all_recvfrom_netlabel(lwiod_t)
corenet_all_recvfrom_unlabeled(lwiod_t)
@@ -187,8 +193,12 @@
# Likewise Service Manager service local policy
#

+allow lwsmd_t self:process setpgid;
+
allow lwsmd_t likewise_domains:process signal;

+allow lwsmd_t { likewise_krb5_ad_t netlogond_var_lib_t }:file read_file_perms;
+
domtrans_pattern(lwsmd_t, dcerpcd_exec_t, dcerpcd_t)
domtrans_pattern(lwsmd_t, eventlogd_exec_t, eventlogd_t)
domtrans_pattern(lwsmd_t, lsassd_exec_t, lsassd_t)
--=-Yr9Q/ap9hsn76vIdhdgQ
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: inline

LS0Kc2VsaW51eCBtYWlsaW5nIGxpc3QKc2VsaW51eEBsaXN0cy 5mZWRvcmFwcm9qZWN0Lm9yZwpo
dHRwczovL2FkbWluLmZlZG9yYXByb2plY3Qub3JnL21haWxtYW 4vbGlzdGluZm8vc2VsaW51eA==

--=-Yr9Q/ap9hsn76vIdhdgQ--

Dominick Grift 02-04-2012 05:03 PM
Likewise sometimes installs in "likewise" and sometimes "likewise-open" Various fixes: https://lists.fedoraproject.org/pipermail/selinux/2012-January/014333.html
 
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>

diff --git a/policy/modules/services/likewise.fc b/policy/modules/services/likewise.fc
index 057a4e4..438843f 100644
--- a/policy/modules/services/likewise.fc
+++ b/policy/modules/services/likewise.fc
@@ -10,6 +10,16 @@
/etc/rc.d/init.d/lwsmd -- gen_context(system_u:object_r:likewise_initrc_exec _t,s0)
/etc/rc.d/init.d/netlogond -- gen_context(system_u:object_r:likewise_initrc_exec _t,s0)
/etc/rc.d/init.d/srvsvcd -- gen_context(system_u:object_r:likewise_initrc_exec _t,s0)
+/etc/rc.d/init.d/likewise -- gen_context(system_u:object_r:likewise_initrc_exec _t,s0)
+
+/opt/likewise(-open)?/sbin/dcerpcd -- gen_context(system_u:object_r:dcerpcd_exec_t,s0)
+/opt/likewise(-open)?/sbin/eventlogd -- gen_context(system_u:object_r:eventlogd_exec_t,s0)
+/opt/likewise(-open)?/sbin/lsassd -- gen_context(system_u:object_r:lsassd_exec_t,s0)
+/opt/likewise(-open)?/sbin/lwiod -- gen_context(system_u:object_r:lwiod_exec_t,s0)
+/opt/likewise(-open)?/sbin/lwregd -- gen_context(system_u:object_r:lwregd_exec_t,s0)
+/opt/likewise(-open)?/sbin/lwsmd -- gen_context(system_u:object_r:lwsmd_exec_t,s0)
+/opt/likewise(-open)?/sbin/netlogond -- gen_context(system_u:object_r:netlogond_exec_t,s0)
+/opt/likewise(-open)?/sbin/srvsvcd -- gen_context(system_u:object_r:srvsvcd_exec_t,s0)

/usr/sbin/dcerpcd -- gen_context(system_u:object_r:dcerpcd_exec_t,s0)
/usr/sbin/eventlogd -- gen_context(system_u:object_r:eventlogd_exec_t,s0)
@@ -20,30 +30,35 @@
/usr/sbin/netlogond -- gen_context(system_u:object_r:netlogond_exec_t,s0)
/usr/sbin/srvsvcd -- gen_context(system_u:object_r:srvsvcd_exec_t,s0)

-/var/lib/likewise-open(/.*)? gen_context(system_u:object_r:likewise_var_lib_t,s 0)
-/var/lib/likewise-open/.lsassd -s gen_context(system_u:object_r:lsassd_var_socket_t, s0)
-/var/lib/likewise-open/.lwiod -s gen_context(system_u:object_r:lwiod_var_socket_t,s 0)
-/var/lib/likewise-open/.regsd -s gen_context(system_u:object_r:lwregd_var_socket_t, s0)
-/var/lib/likewise-open/.lwsm -s gen_context(system_u:object_r:lwsmd_var_socket_t,s 0)
-/var/lib/likewise-open/.netlogond -s gen_context(system_u:object_r:netlogond_var_socket _t,s0)
-/var/lib/likewise-open/.ntlmd -s gen_context(system_u:object_r:lsassd_var_socket_t, s0)
-/var/lib/likewise-open/krb5-affinity.conf -- gen_context(system_u:object_r:netlogond_var_lib_t, s0)
-/var/lib/likewise-open/krb5ccr_lsass -- gen_context(system_u:object_r:lsassd_var_lib_t, s0)
-/var/lib/likewise-open/LWNetsd.err -- gen_context(system_u:object_r:netlogond_var_lib_t, s0)
-/var/lib/likewise-open/lsasd.err -- gen_context(system_u:object_r:lsassd_var_lib_t,s0)
-/var/lib/likewise-open/regsd.err -- gen_context(system_u:object_r:lwregd_var_lib_t,s0)
-/var/lib/likewise-open/db -d gen_context(system_u:object_r:likewise_var_lib_t,s 0)
-/var/lib/likewise-open/db/lwi_events.db -- gen_context(system_u:object_r:eventlogd_var_lib_t, s0)
-/var/lib/likewise-open/db/sam.db -- gen_context(system_u:object_r:lsassd_var_lib_t,s0)
-/var/lib/likewise-open/db/lsass-adcache.db -- gen_context(system_u:object_r:lsassd_var_lib_t,s0)
-/var/lib/likewise-open/db/lsass-adstate.filedb -- gen_context(system_u:object_r:lsassd_var_lib_t,s0)
-/var/lib/likewise-open/db/registry.db -- gen_context(system_u:object_r:lwregd_var_lib_t,s0)
-/var/lib/likewise-open/rpc -d gen_context(system_u:object_r:likewise_var_lib_t,s 0)
-/var/lib/likewise-open/rpc/epmapper -s gen_context(system_u:object_r:dcerpcd_var_socket_t , s0)
-/var/lib/likewise-open/rpc/lsass -s gen_context(system_u:object_r:lsassd_var_socket_t, s0)
-/var/lib/likewise-open/rpc/socket -s gen_context(system_u:object_r:eventlogd_var_socket _t, s0)
-/var/lib/likewise-open/run -d gen_context(system_u:object_r:likewise_var_lib_t,s 0)
-/var/lib/likewise-open/run/rpcdep.dat -- gen_context(system_u:object_r:dcerpcd_var_lib_t, s0)
+/var/lib/likewise(-open)?(/.*)? gen_context(system_u:object_r:likewise_var_lib_t,s 0)
+/var/lib/likewise(-open)?/.eventlog -s gen_context(system_u:object_r:eventlogd_var_socket _t,s0)
+/var/lib/likewise(-open)?/.lsassd -s gen_context(system_u:object_r:lsassd_var_socket_t, s0)
+/var/lib/likewise(-open)?/.lwiod -s gen_context(system_u:object_r:lwiod_var_socket_t,s 0)
+/var/lib/likewise(-open)?/.regsd -s gen_context(system_u:object_r:lwregd_var_socket_t, s0)
+/var/lib/likewise(-open)?/.lwsm -s gen_context(system_u:object_r:lwsmd_var_socket_t,s 0)
+/var/lib/likewise(-open)?/.lwsmd-lock -- gen_context(system_u:object_r:lwsmd_var_lib_t,s0)
+/var/lib/likewise(-open)?/.netlogond -s gen_context(system_u:object_r:netlogond_var_socket _t,s0)
+/var/lib/likewise(-open)?/.ntlmd -s gen_context(system_u:object_r:lsassd_var_socket_t, s0)
+/var/lib/likewise(-open)?/.pstore.lock -- gen_context(system_u:object_r:likewise_pstore_lock _t,s0)
+/var/lib/likewise(-open)?/krb5-affinity.conf -- gen_context(system_u:object_r:netlogond_var_lib_t, s0)
+/var/lib/likewise(-open)?/krb5cc\_lsass..* -- gen_context(system_u:object_r:lsassd_var_lib_t, s0)
+/var/lib/likewise(-open)?/krb5ccr_lsass -- gen_context(system_u:object_r:lsassd_var_lib_t, s0)
+/var/lib/likewise(-open)?/LWNetsd.err -- gen_context(system_u:object_r:netlogond_var_lib_t, s0)
+/var/lib/likewise(-open)?/lsasd.err -- gen_context(system_u:object_r:lsassd_var_lib_t,s0)
+/var/lib/likewise(-open)?/regsd.err -- gen_context(system_u:object_r:lwregd_var_lib_t,s0)
+/var/lib/likewise(-open)?/db -d gen_context(system_u:object_r:likewise_var_lib_t,s 0)
+/var/lib/likewise(-open)?/db/lwi_events.db -- gen_context(system_u:object_r:eventlogd_var_lib_t, s0)
+/var/lib/likewise(-open)?/db/sam.db -- gen_context(system_u:object_r:lsassd_var_lib_t,s0)
+/var/lib/likewise(-open)?/db/lsass-adcache.filedb..* -- gen_context(system_u:object_r:lsassd_var_lib_t,s0)
+/var/lib/likewise(-open)?/db/lsass-adcache.db -- gen_context(system_u:object_r:lsassd_var_lib_t,s0)
+/var/lib/likewise(-open)?/db/lsass-adstate.filedb -- gen_context(system_u:object_r:lsassd_var_lib_t,s0)
+/var/lib/likewise(-open)?/db/registry.db -- gen_context(system_u:object_r:lwregd_var_lib_t,s0)
+/var/lib/likewise(-open)?/rpc -d gen_context(system_u:object_r:likewise_var_lib_t,s 0)
+/var/lib/likewise(-open)?/rpc/epmapper -s gen_context(system_u:object_r:dcerpcd_var_socket_t , s0)
+/var/lib/likewise(-open)?/rpc/lsass -s gen_context(system_u:object_r:lsassd_var_socket_t, s0)
+/var/lib/likewise(-open)?/rpc/socket -s gen_context(system_u:object_r:eventlogd_var_socket _t, s0)
+/var/lib/likewise(-open)?/run -d gen_context(system_u:object_r:likewise_var_lib_t,s 0)
+/var/lib/likewise(-open)?/run/rpcdep.dat -- gen_context(system_u:object_r:dcerpcd_var_lib_t, s0)

/var/run/eventlogd.pid -- gen_context(system_u:object_r:eventlogd_var_run_t, s0)
/var/run/lsassd.pid -- gen_context(system_u:object_r:lsassd_var_run_t,s0)
diff --git a/policy/modules/services/likewise.if b/policy/modules/services/likewise.if
index 81d98b3..a340496 100644
--- a/policy/modules/services/likewise.if
+++ b/policy/modules/services/likewise.if
@@ -74,6 +74,8 @@
manage_sock_files_pattern($1_t, likewise_var_lib_t, $1_var_socket_t)
filetrans_pattern($1_t, likewise_var_lib_t, $1_var_socket_t, sock_file)

+ kernel_read_system_state($1_t)
+
dev_read_rand($1_t)
dev_read_urand($1_t)

diff --git a/policy/modules/services/likewise.te b/policy/modules/services/likewise.te
index 18dc6e5..4a373fa 100644
--- a/policy/modules/services/likewise.te
+++ b/policy/modules/services/likewise.te
@@ -84,6 +84,10 @@
corenet_udp_sendrecv_generic_node(eventlogd_t)
corenet_udp_sendrecv_generic_port(eventlogd_t)

+corenet_tcp_connect_epmap_port(eventlogd_t)
+corenet_tcp_sendrecv_epmap_port(eventlogd_t)
+corenet_sendrecv_epmap_client_packets(eventlogd_t )
+
#################################
#
# Likewise Authentication service local policy
@@ -124,6 +128,7 @@
corenet_tcp_connect_epmap_port(lsassd_t)
corenet_tcp_sendrecv_epmap_port(lsassd_t)

+domain_dontaudit_search_all_domains_state(lsassd_ t)
domain_obj_id_change_exemption(lsassd_t)

files_manage_etc_files(lsassd_t)
@@ -155,14 +160,15 @@
# Likewise I/O service local policy
#

-allow lwiod_t self:capability { fowner chown fsetid dac_override };
+allow lwiod_t self:process setrlimit;
+allow lwiod_t self:capability { fowner chown fsetid dac_override sys_resource };
allow lwiod_t self:netlink_route_socket rw_netlink_socket_perms;

-allow lwiod_t likewise_krb5_ad_t:file read_file_perms;
-allow lwiod_t netlogond_var_lib_t:file read_file_perms;
+allow lwiod_t { likewise_krb5_ad_t netlogond_var_lib_t }:file read_file_perms;

stream_connect_pattern(lwiod_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_t)
stream_connect_pattern(lwiod_t, likewise_var_lib_t, lsassd_var_socket_t, lsassd_t)
+stream_connect_pattern(lwiod_t, likewise_var_lib_t, netlogond_var_socket_t, netlogond_t)

corenet_all_recvfrom_netlabel(lwiod_t)
corenet_all_recvfrom_unlabeled(lwiod_t)
@@ -187,8 +193,12 @@
# Likewise Service Manager service local policy
#

+allow lwsmd_t self:process setpgid;
+
allow lwsmd_t likewise_domains:process signal;

+allow lwsmd_t { likewise_krb5_ad_t netlogond_var_lib_t }:file read_file_perms;
+
domtrans_pattern(lwsmd_t, dcerpcd_exec_t, dcerpcd_t)
domtrans_pattern(lwsmd_t, eventlogd_exec_t, eventlogd_t)
domtrans_pattern(lwsmd_t, lsassd_exec_t, lsassd_t)
--=-+NHzXjqmy12K19SLIGV6
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: inline

LS0Kc2VsaW51eCBtYWlsaW5nIGxpc3QKc2VsaW51eEBsaXN0cy 5mZWRvcmFwcm9qZWN0Lm9yZwpo
dHRwczovL2FkbWluLmZlZG9yYXByb2plY3Qub3JnL21haWxtYW 4vbGlzdGluZm8vc2VsaW51eA==

--=-+NHzXjqmy12K19SLIGV6--


All times are GMT. The time now is 06:55 PM.

VBulletin, Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.