-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 02/01/2012 11:37 AM, Maria Iano wrote: > > On Feb 1, 2012, at 11:30 AM, Daniel J Walsh wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 >> >> On 01/31/2012 05:33 PM, Maria Iano wrote: >>> I have a RHEL 6.2 server running LikewiseOpen. It appears to >>> me that I will take care of a large number of denials if I can >>> change the type of /var/lib/likewise/.lsassd to be >>> lsassd_var_socket_t. >>> >>> I added the file context rule with semanage, and used >>> restorecon to change it to lsassd_var_socket_t as desired. But >>> later I found that /var/lib/likewise/.lsassd had type var_lib_t >>> again. I assume that is because the likewise processes run as >>> initrc_t. >>> >>> I'd like to change the policy and tell it that services running >>> in either initrc_t or unconfined_t domains should create the >>> file /var/lib/likewise/.lsassd with type lsassd_var_socket_t. >>> (A command line tool lwsm for managing the processes runs in >>> unconfined_t so I'd like to include that domain to be safe. ) >>> How can I go about doing that in RHEL 6 (or can I)? >>> >>> Thanks, Maria -- selinux mailing list >>> selinux@xxxxxxxxxxxxxxxxxxxxxxx >>> https://admin.fedoraproject.org/mailman/listinfo/selinux >> >> What label do you have on /var/lib/likewise? > > system_u:object_r:var_lib_t:s0 In that case why not just label it lsassd_var_lib_t Currently the labeling is /var/lib/likewise-open(/.*)? gen_context(system_u:object_r:likewise_var_lib_t,s0) If you label it similar, then you have a step in the right direction. I am not sure who wrote policy for the likewise domain, but I think I would eliminate all of the different labels. But I guess that is the way it is. If unconfined_t is creating a socket in the directory then I guess it would be listening on the socket, but other domains would not be allowed to communicate. One potential option if you got all of the labeling correct would be to use restorecond. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk8pbT0ACgkQrlYvE4MpobMsQACfVA416d9geryTUiCEbRbiv22I qdIAoMr3WAJI28iH7P0Bg33f6h8ehu+I =RtZf -----END PGP SIGNATURE----- -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
