On Wed, 2010-03-03 at 18:10 -0500, Scott Salley wrote: > I’d like to thank the mailing list inhabitants for all the help you’ve > given me. So, Thanks! > > > > I modified the targeted policy for Fedora 12 and got Likewise Open to > install, join Active Directory, and allow users to authenticate > without any problems! The problem is, I’m not quite sure what some of > the rules do and whether they are necessary. > > > > For example, I patched the authentication daemon (lsassd) to properly > set up the user’s home directory and I’m using matchpathcon(3) and > setfilecon(3). At first, matchpathcon would fail but I could find *no* > messages indicating a problem. Use semodule -DB, as described in: http://docs.fedoraproject.org/selinux-user-guide/f12/en-US/sect-Security-Enhanced_Linux-Fixing_Problems-Possible_Causes_of_Silent_Denials.html And later revert with semodule -B. > I finally copied a block of rules from another policy and that > worked. > > > > The rules I copied are: > > selinux_get_fs_mount(lsassd_t) > > selinux_validate_context(lsassd_t) > > selinux_compute_access_vector(lsassd_t) > > selinux_compute_create_context(lsassd_t) > > selinux_compute_relabel_context(lsassd_t) > > selinux_compute_user_contexts(lsassd_t) I don't think you need any of the selinux_compute_* interfaces. > Now I could try things one by one and see what works and what doesn’t, > but I have some other rule blocks where I have the same type of > problem and then a combinatorial explosion gets involved. I have also > tried looking things up online, but pages like this > (http://www.softeh.ro/doc/selinux-policy-2.2.23/html/kernel_selinux.html) did not really help me for many of the rules. > > > > What have I missed? Is there another level of logging I could turn on > somewhere? Yes, semodule -DB. -- Stephen Smalley National Security Agency -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
