On Tue, 2012-02-07 at 22:39 +0000, Christina Plummer wrote:
< snip>
Attached you will find the mylikewise1 policy source module.
This should take care of both file context specs as well as known policy
that is additionally needed.
Please first remove the file context specs that you have added manually
with semanage earlier.
To build:
make -f /usr/share/selinux/devel/Makefile mylikewise1.pp
To install:
sudo semodule -i mylikewise1.pp
To apply file context specs:
restorecon -v /etc/rc.d/init.d/likewise
restorecon -R -v /var/lib/likewise
restorecon -R -v /opt/likewise/sbin
/etc/rc\.d/init\.d/likewise -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0)
/opt/likewise/sbin/dcerpcd -- gen_context(system_u:object_r:dcerpcd_exec_t,s0)
/opt/likewise/sbin/eventlogd -- gen_context(system_u:object_r:eventlogd_exec_t,s0)
/opt/likewise/sbin/lsassd -- gen_context(system_u:object_r:lsassd_exec_t,s0)
/opt/likewise/sbin/lwiod -- gen_context(system_u:object_r:lwiod_exec_t,s0)
/opt/likewise/sbin/lwregd -- gen_context(system_u:object_r:lwregd_exec_t,s0)
/opt/likewise/sbin/lwsmd -- gen_context(system_u:object_r:lwsmd_exec_t,s0)
/opt/likewise/sbin/netlogond -- gen_context(system_u:object_r:netlogond_exec_t,s0)
/opt/likewise/sbin/srvsvcd -- gen_context(system_u:object_r:srvsvcd_exec_t,s0)
/var/lib/likewise(/.*)? gen_context(system_u:object_r:likewise_var_lib_t,s0)
/var/lib/likewise/\.eventlog -s gen_context(system_u:object_r:eventlogd_var_socket_t,s0)
/var/lib/likewise/\.lsassd -s gen_context(system_u:object_r:lsassd_var_socket_t,s0)
/var/lib/likewise/\.lwiod -s gen_context(system_u:object_r:lwiod_var_socket_t,s0)
/var/lib/likewise/\.regsd -s gen_context(system_u:object_r:lwregd_var_socket_t,s0)
/var/lib/likewise/\.lwsm -s gen_context(system_u:object_r:lwsmd_var_socket_t,s0)
/var/lib/likewise/\.lwsmd-lock -- gen_context(system_u:object_r:lwsmd_var_lib_t,s0)
/var/lib/likewise/\.netlogond -s gen_context(system_u:object_r:netlogond_var_socket_t,s0)
/var/lib/likewise/\.ntlmd -s gen_context(system_u:object_r:lsassd_var_socket_t,s0)
/var/lib/likewise/\.pstore\.lock -- gen_context(system_u:object_r:likewise_pstore_lock_t,s0)
/var/lib/likewise/krb5-affinity.conf -- gen_context(system_u:object_r:netlogond_var_lib_t, s0)
/var/lib/likewise/krb5cc.* -- gen_context(system_u:object_r:lsassd_var_lib_t, s0)
/var/lib/likewise/krb5cc\_lsass\..* -- gen_context(system_u:object_r:lsassd_var_lib_t, s0)
/var/lib/likewise/krb5ccr_lsass -- gen_context(system_u:object_r:lsassd_var_lib_t, s0)
/var/lib/likewise/LWNetsd\.err -- gen_context(system_u:object_r:netlogond_var_lib_t,s0)
/var/lib/likewise/lsasd\.err -- gen_context(system_u:object_r:lsassd_var_lib_t,s0)
/var/lib/likewise/regsd\.err -- gen_context(system_u:object_r:lwregd_var_lib_t,s0)
/var/lib/likewise/db -d gen_context(system_u:object_r:likewise_var_lib_t,s0)
/var/lib/likewise/db/lwi_events.db -- gen_context(system_u:object_r:eventlogd_var_lib_t,s0)
/var/lib/likewise/db/sam\.db -- gen_context(system_u:object_r:lsassd_var_lib_t,s0)
/var/lib/likewise/db/lsass-adcache\.filedb\..* -- gen_context(system_u:object_r:lsassd_var_lib_t,s0)
/var/lib/likewise/db/lsass-adcache\.db -- gen_context(system_u:object_r:lsassd_var_lib_t,s0)
/var/lib/likewise/db/lsass-adstate\.filedb -- gen_context(system_u:object_r:lsassd_var_lib_t,s0)
/var/lib/likewise/db/registry\.db -- gen_context(system_u:object_r:lwregd_var_lib_t,s0)
/var/lib/likewise/rpc -d gen_context(system_u:object_r:likewise_var_lib_t,s0)
/var/lib/likewise/rpc/epmapper -s gen_context(system_u:object_r:dcerpcd_var_socket_t, s0)
/var/lib/likewise/rpc/lsass -s gen_context(system_u:object_r:lsassd_var_socket_t, s0)
/var/lib/likewise/rpc/socket -s gen_context(system_u:object_r:eventlogd_var_socket_t, s0)
/var/lib/likewise/run -d gen_context(system_u:object_r:likewise_var_lib_t,s0)
/var/lib/likewise/run/rpcdep.dat -- gen_context(system_u:object_r:dcerpcd_var_lib_t, s0)
policy_module(mylikewise1, 1.0.0)
gen_require(`
attribute likewise_domains;
type likewise_initrc_exec_t, dcerpcd_exec_t, eventlogd_exec_t, lsassd_exec_t;
type lwiod_exec_t, lwregd_exec_t, lwsmd_exec_t, netlogond_exec_t, srvsvcd_exec_t;
type likewise_var_lib_t, eventlogd_var_socket_t, lsassd_var_socket_t, lwiod_var_socket_t;
type lwregd_var_socket_t, lwsmd_var_socket_t, lwsmd_var_lib_t, netlogond_var_socket_t;
type likewise_pstore_lock_t, netlogond_var_lib_t, lsassd_var_lib_t, lwregd_var_lib_t;
type eventlogd_var_lib_t, dcerpcd_var_socket_t, dcerpcd_var_lib_t, likewise_krb5_ad_t;
type eventlogd_t, lsassd_t, lwiod_t, netlogond_t, lwsmd_t;
')
kernel_read_system_state(likewise_domains)
corenet_tcp_connect_epmap_port(eventlogd_t)
corenet_tcp_sendrecv_epmap_port(eventlogd_t)
corenet_sendrecv_epmap_client_packets(eventlogd_t)
domain_dontaudit_search_all_domains_state(lsassd_t)
allow lwiod_t self:process setrlimit;
allow lwiod_t self:capability sys_resource;
allow lwiod_t { likewise_krb5_ad_t netlogond_var_lib_t }:file read_file_perms;
stream_connect_pattern(lwiod_t, likewise_var_lib_t, netlogond_var_socket_t, netlogond_t)
allow lwsmd_t self:process setpgid;
allow lwsmd_t { likewise_krb5_ad_t netlogond_var_lib_t }:file read_file_perms;
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
