On Feb 1, 2012, at 1:32 PM, Dominick Grift wrote:
On Tue, 2012-01-31 at 17:33 -0500, Maria Iano wrote:
I have a RHEL 6.2 server running LikewiseOpen. It appears to me
that I
will take care of a large number of denials if I can change the type
of /var/lib/likewise/.lsassd to be lsassd_var_socket_t.
I added the file context rule with semanage, and used restorecon to
change it to lsassd_var_socket_t as desired. But later I found that /
var/lib/likewise/.lsassd had type var_lib_t again. I assume that is
because the likewise processes run as initrc_t.
Why are the likewise processes running in initrc_t?
Are the likewise executable files in their proper location:
/usr/sbin/dcerpcd --
gen_context(system_u:object_r:dcerpcd_exec_t,s0)
/usr/sbin/eventlogd --
gen_context(system_u:object_r:eventlogd_exec_t,s0)
/usr/sbin/lsassd -- gen_context(system_u:object_r:lsassd_exec_t,s0)
/usr/sbin/lwiod -- gen_context(system_u:object_r:lwiod_exec_t,s0)
/usr/sbin/lwregd -- gen_context(system_u:object_r:lwregd_exec_t,s0)
/usr/sbin/lwsmd -- gen_context(system_u:object_r:lwsmd_exec_t,s0)
/usr/sbin/netlogond --
gen_context(system_u:object_r:netlogond_exec_t,s0)
/usr/sbin/srvsvcd --
gen_context(system_u:object_r:srvsvcd_exec_t,s0)
I'd like to change the policy and tell it that services running in
either initrc_t or unconfined_t domains should create the file /var/
lib/likewise/.lsassd with type lsassd_var_socket_t. (A command line
tool lwsm for managing the processes runs in unconfined_t so I'd like
to include that domain to be safe. ) How can I go about doing that in
RHEL 6 (or can I)?
That is not possible but if you label /var/lib/likewise:
semanage fcontext -a -t likewise_var_lib_t "/var/lib/likewise(/.*)?"
And configure restorecond to watch /var/lib/likewise then the file
will
be reset to the proper type when restorecond notices that its
mislabeled.
The policy for likewise was written by the people of likewise. I
helped
with it a bit. I think we collaborated on the selinux maillist but i
could not find the thread about it in short noticed. (i was looking
for
the e-mail address of the likewise policy author so that i can ask him
to see if the policy is still up-to-date)
It may be that the policy is not maintained optimally.
Maybe you can help us revisit it?
Those files are all under /opt/likewise/sbin on this system (although
there is no srvsvcd):
/opt/likewise/sbin/dcerpcd
/opt/likewise/sbin/eventlogd
/opt/likewise/sbin/lsassd
/opt/likewise/sbin/lwiod
/opt/likewise/sbin/lwregd
/opt/likewise/sbin/lwsmd
/opt/likewise/sbin/netlogond
Also the directories corresponding to /etc/likewise-open and /var/lib/
likewise-open are actually /etc/likewise and /var/lib/likewise on my
system.
My system is RHEL 6.2 and I installed LikewiseOpen by downloading
LikewiseOpen-6.1.0.8729-linux-x86_64-rpm.sh, making it executable, and
typing:
./LikewiseOpen-6.1.0.8729-linux-x86_64-rpm.sh install
So I think it is installed with all the defaults.
I would be very happy to help. I would really like for selinux and
likewise to coexist comfortably.
Thanks!
Maria
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
