Re: VASD policy

[Vadym Chepkov <vchepkov@xxxxxxxxx>]

On Jul 23, 2013, at 11:14 AM, Tony Scully <tonyjscully@xxxxxxxxx> wrote:

Hi Vadym,

In fact vasd just runs unconfined under selinux; the issue you have is that sshd is running in the sshd_t context, but need to access some files, the vasd cache (I think it's via PAM) in /var/opt/quest/vas.

Quest (now Dell) do provide a policy file which allows sshd to access these files, here's the text version:


module sshdqas 1.0;

require {
        type semanage_t;
        type var_t;
        type sshd_t;
        type initrc_t;
        class sock_file write;
        class unix_stream_socket connectto;
        class file { read write getattr open };
}

#============= semanage_t ==============
allow semanage_t var_t:sock_file write;

#============= sshd_t ==============
allow sshd_t initrc_t:unix_stream_socket connectto;
allow sshd_t var_t:file open;
allow sshd_t var_t:file { read write getattr };
allow sshd_t var_t:sock_file write;

Which as you can see, just allows sshd to access var_t labelled files -- might be considered too permssive?

But vasd itself should run ( and is 'supported') unconfined under selinux.

It looks like a workaround to me, not a proper policy, but at least I don’t have do disable SELinux.

I ended up with this:

module qas 1.0;

require {

        type var_auth_t;

        type sshd_t;

        type system_dbusd_t;

        type initrc_t;

        class sock_file write;

        class unix_stream_socket connectto;

        class file { read write getattr open };

}

allow sshd_t initrc_t:unix_stream_socket connectto;

allow sshd_t var_auth_t:file { open read write getattr };

allow sshd_t var_auth_t:sock_file write;

allow system_dbusd_t initrc_t:unix_stream_socket connectto;

allow system_dbusd_t var_auth_t:file { open read write getattr };

allow system_dbusd_t var_auth_t:sock_file write;

Thanks,

Vadym

--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux