FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 02-07-2012, 09:39 PM
Christina Plummer
 
Default making a file context change work for initrc_t and unconfined_t

> mylikewise.fc:
>
> /var/lib/likewise/db/lwi\_events.db --
> gen_context(system_ubject_r:eventlogd_var_lib_t, s0)
>
> /var/lib/likewise/.lwsmd-lock --
> gen_context(system_ubject_r:lwsmd_var_lib_t,s0)

Hi there,

[I tried to post this via gmane about 30 minutes ago but it never showed up - I
did take some time composing the first time, so I am trying again.]

I am new on this list (and pretty new to SELinux), but was just trying to get
Likewise Open 6.1 and SELinux to play well together on RHEL 6.1 and found this
excellent thread. Most of the denials I had noticed were on
the /var/lib/likewise/.lsassd socket.

To start with, I've run "sudo semanage -i likewise-cmds", where likewise-cmds
contains the following (based on what I found in the likewise.fc from git as
well as Dominick's notes above -- replacing /usr/sbin
with /opt/likewise/sbin, and all instances of "likewise-open" with "likewise"):

fcontext -a -t likewise_var_lib_t "/var/lib/likewise(/.*)?"
fcontext -a -t lsassd_var_socket_t /var/lib/likewise/.lsassd
fcontext -a -t lwiod_var_socket_t /var/lib/likewise/.lwiod
fcontext -a -t lwsmd_var_socket_t /var/lib/likewise/.lwsm
fcontext -a -t lwsmd_var_lib_t /var/lib/likewise/.lwsmd-lock
fcontext -a -t lwregd_var_socket_t /var/lib/likewise/.regsd
fcontext -a -t netlogond_var_socket_t /var/lib/likewise/.netlogond
fcontext -a -t lsassd_var_socket_t /var/lib/likewise/.ntlmd
fcontext -a -t netlogond_var_lib_t /var/lib/likewise/krb5-affinity.conf
fcontext -a -t lsassd_var_lib_t "/var/lib/likewise/krb5cc_lsass(.*)?"
fcontext -a -t eventlogd_var_lib_t /var/lib/likewise/db/lwi_events.db
fcontext -a -t lsassd_var_lib_t /var/lib/likewise/db/sam.db
fcontext -a -t lsassd_var_lib_t "/var/lib/likewise/db/lsass-adcache.filedb.
(.*)?"
fcontext -a -t lwregd_var_lib_t /var/lib/likewise/db/registry.db
fcontext -a -t lsassd_var_socket_t /var/lib/likewise/rpc/lsass
fcontext -a -t likewise_krb5_ad_t /etc/likewise/likewise-krb5-ad.conf
fcontext -a -t likewise_etc_t "/etc/likewise(/.*)?"
fcontext -a -t dcerpcd_exec_t /opt/likewise/sbin/dcerpcd
fcontext -a -t eventlogd_exec_t /opt/likewise/sbin/eventlogd
fcontext -a -t lsassd_exec_t /opt/likewise/sbin/lsassd
fcontext -a -t lwiod_exec_t /opt/likewise/sbin/lwiod
fcontext -a -t lwregd_exec_t /opt/likewise/sbin/lwregd
fcontext -a -t lwsmd_exec_t /opt/likewise/sbin/lwsmd
fcontext -a -t netlogond_exec_t /opt/likewise/sbin/netlogond

I added some wildcards in there because some of the files get created with the
Active Directory domain name appended to them, namely:

/var/lib/likewise/krb5cc_lsass.MYDOMAIN.NET
/var/lib/likewise/db/lsass-adcache.filedb.MYDOMAIN.NET

After running "restorecon -R -F -v" on all those directories and rebooting, I
just got these denials:

type=AVC msg=audit(02/07/2012 21:55:59.592:23979) : avc: denied { open } for
pid=1671 comm=lsassd name=krb5cc_1040237070 dev=dm-4 ino=17
scontext=system_u:system_r:lsassd_t:s0
tcontext=system_ubject_r:initrc_tmp_t:s0 tclass=file
type=AVC msg=audit(02/07/2012 21:55:59.592:23979) : avc: denied { read } for
pid=1671 comm=lsassd name=krb5cc_1040237070 dev=dm-4 ino=17
scontext=system_u:system_r:lsassd_t:s0
tcontext=system_ubject_r:initrc_tmp_t:s0 tclass=file
type=AVC msg=audit(02/07/2012 21:55:59.600:23980) : avc: denied { lock } for
pid=1671 comm=lsassd path=/tmp/krb5cc_1040237070 dev=dm-4 ino=17
scontext=system_u:system_r:lsassd_t:s0
tcontext=system_ubject_r:initrc_tmp_t:s0 tclass=file
type=AVC msg=audit(02/07/2012 21:55:59.609:23981) : avc: denied { unlink }
for pid=1671 comm=lsassd name=krb5cc_1040237070 dev=dm-4 ino=17
scontext=system_u:system_r:lsassd_t:s0
tcontext=system_ubject_r:initrc_tmp_t:s0 tclass=file

There were also a bunch of getattr denials on stuff in /proc.
Those files in /tmp are owned by me, apparently created when I logged in. They
might have been left over from before.
Otherwise, everything looks good so far.

I haven't tried building the additional "mylikewise" policy yet, but I can do
that next. I can also start over on a fresh box if that would be helpful.

Thanks,
Christina






--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 

Thread Tools




All times are GMT. The time now is 09:51 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org