Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Fedora SELinux Support (http://www.linux-archive.org/fedora-selinux-support/)
-   -   making a file context change work for initrc_t and unconfined_t (http://www.linux-archive.org/fedora-selinux-support/630079-making-file-context-change-work-initrc_t-unconfined_t.html)

Christina Plummer 02-07-2012 09:39 PM

making a file context change work for initrc_t and unconfined_t
 
> mylikewise.fc:
>
> /var/lib/likewise/db/lwi\_events.db --
> gen_context(system_u:object_r:eventlogd_var_lib_t, s0)
>
> /var/lib/likewise/.lwsmd-lock --
> gen_context(system_u:object_r:lwsmd_var_lib_t,s0)

Hi there,

[I tried to post this via gmane about 30 minutes ago but it never showed up - I
did take some time composing the first time, so I am trying again.]

I am new on this list (and pretty new to SELinux), but was just trying to get
Likewise Open 6.1 and SELinux to play well together on RHEL 6.1 and found this
excellent thread. Most of the denials I had noticed were on
the /var/lib/likewise/.lsassd socket.

To start with, I've run "sudo semanage -i likewise-cmds", where likewise-cmds
contains the following (based on what I found in the likewise.fc from git as
well as Dominick's notes above -- replacing /usr/sbin
with /opt/likewise/sbin, and all instances of "likewise-open" with "likewise"):

fcontext -a -t likewise_var_lib_t "/var/lib/likewise(/.*)?"
fcontext -a -t lsassd_var_socket_t /var/lib/likewise/.lsassd
fcontext -a -t lwiod_var_socket_t /var/lib/likewise/.lwiod
fcontext -a -t lwsmd_var_socket_t /var/lib/likewise/.lwsm
fcontext -a -t lwsmd_var_lib_t /var/lib/likewise/.lwsmd-lock
fcontext -a -t lwregd_var_socket_t /var/lib/likewise/.regsd
fcontext -a -t netlogond_var_socket_t /var/lib/likewise/.netlogond
fcontext -a -t lsassd_var_socket_t /var/lib/likewise/.ntlmd
fcontext -a -t netlogond_var_lib_t /var/lib/likewise/krb5-affinity.conf
fcontext -a -t lsassd_var_lib_t "/var/lib/likewise/krb5cc_lsass(.*)?"
fcontext -a -t eventlogd_var_lib_t /var/lib/likewise/db/lwi_events.db
fcontext -a -t lsassd_var_lib_t /var/lib/likewise/db/sam.db
fcontext -a -t lsassd_var_lib_t "/var/lib/likewise/db/lsass-adcache.filedb.
(.*)?"
fcontext -a -t lwregd_var_lib_t /var/lib/likewise/db/registry.db
fcontext -a -t lsassd_var_socket_t /var/lib/likewise/rpc/lsass
fcontext -a -t likewise_krb5_ad_t /etc/likewise/likewise-krb5-ad.conf
fcontext -a -t likewise_etc_t "/etc/likewise(/.*)?"
fcontext -a -t dcerpcd_exec_t /opt/likewise/sbin/dcerpcd
fcontext -a -t eventlogd_exec_t /opt/likewise/sbin/eventlogd
fcontext -a -t lsassd_exec_t /opt/likewise/sbin/lsassd
fcontext -a -t lwiod_exec_t /opt/likewise/sbin/lwiod
fcontext -a -t lwregd_exec_t /opt/likewise/sbin/lwregd
fcontext -a -t lwsmd_exec_t /opt/likewise/sbin/lwsmd
fcontext -a -t netlogond_exec_t /opt/likewise/sbin/netlogond

I added some wildcards in there because some of the files get created with the
Active Directory domain name appended to them, namely:

/var/lib/likewise/krb5cc_lsass.MYDOMAIN.NET
/var/lib/likewise/db/lsass-adcache.filedb.MYDOMAIN.NET

After running "restorecon -R -F -v" on all those directories and rebooting, I
just got these denials:

type=AVC msg=audit(02/07/2012 21:55:59.592:23979) : avc: denied { open } for
pid=1671 comm=lsassd name=krb5cc_1040237070 dev=dm-4 ino=17
scontext=system_u:system_r:lsassd_t:s0
tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=file
type=AVC msg=audit(02/07/2012 21:55:59.592:23979) : avc: denied { read } for
pid=1671 comm=lsassd name=krb5cc_1040237070 dev=dm-4 ino=17
scontext=system_u:system_r:lsassd_t:s0
tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=file
type=AVC msg=audit(02/07/2012 21:55:59.600:23980) : avc: denied { lock } for
pid=1671 comm=lsassd path=/tmp/krb5cc_1040237070 dev=dm-4 ino=17
scontext=system_u:system_r:lsassd_t:s0
tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=file
type=AVC msg=audit(02/07/2012 21:55:59.609:23981) : avc: denied { unlink }
for pid=1671 comm=lsassd name=krb5cc_1040237070 dev=dm-4 ino=17
scontext=system_u:system_r:lsassd_t:s0
tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=file

There were also a bunch of getattr denials on stuff in /proc.
Those files in /tmp are owned by me, apparently created when I logged in. They
might have been left over from before.
Otherwise, everything looks good so far.

I haven't tried building the additional "mylikewise" policy yet, but I can do
that next. I can also start over on a fresh box if that would be helpful.

Thanks,
Christina






--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux


All times are GMT. The time now is 09:09 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.