-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 02/12/2014 05:51 PM, Jayson Hurst wrote:
> All of the following audit messages are connected to the file:
>
> /var/opt/quest/vas/vasd/.vasd40_ipc_sock
>
> What is the preferred way to grant the appropriate access to the file when
> the domain that is going to need access to it is unknown? The context type
> when I am done will probably be qasd_var_auth_t, although I am not sure
> that matters at this point.
>
> #============= hald_t ============== allow hald_t var_auth_t:sock_file
> write;
>
> #============= httpd_t ============== allow httpd_t var_auth_t:dir search;
> allow httpd_t var_auth_t:sock_file write;
>
> #============= policykit_t ============== allow policykit_t var_auth_t:dir
> search; allow policykit_t var_auth_t:sock_file write;
>
> #============= postfix_pickup_t ============== allow postfix_pickup_t
> var_auth_t:dir search; allow postfix_pickup_t var_auth_t:sock_file write;
> allow postfix_pickup_t qasd_t:unix_stream_socket connectto;
>
> #============= postfix_qmgr_t ============== allow postfix_qmgr_t
> var_auth_t:dir search; allow postfix_qmgr_t var_auth_t:sock_file write;
> allow postfix_qmgr_t qasd_t:unix_stream_socket connectto;
>
> #============= system_dbusd_t ============== allow system_dbusd_t
> var_auth_t:sock_file write; allow system_dbusd_t qasd_t:unix_stream_socket
> connectto;
>
> #============= xdm_dbusd_t ============== allow xdm_dbusd_t var_auth_t:dir
> search; allow xdm_dbusd_t var_auth_t:sock_file write; allow xdm_dbusd_t
> qasd_t:unix_stream_socket connectto;
>
> #============= xdm_t ============== allow xdm_t qasd_t:unix_stream_socket
> connectto;
>
> # audit(1392243009.026:13): #
> scontext="system_u:system_r:postfix_qmgr_t:s0"
> tcontext="system_u:system_r:qasd_t:s0" # class="unix_stream_socket"
> perms="connectto" # comm="qmgr" exe="" path="" # message="type=AVC
> msg=audit(1392243009.026:13): avc: denied { connectto } # for pid=1674
> comm="qmgr" path="/var/opt/quest/vas/vasd/.vasd40_ipc_sock" #
> scontext=system_u:system_r:postfix_qmgr_t:s0 #
> tcontext=system_u:system_r:qasd_t:s0 tclass=unix_stream_socket"
>
> I am also seeing the reverse of this with fifo_files (grant myself write,
> getattr access) to an unknown domain.
>
> allow qasd_t httpd_t:fifo_file { write getattr }; allow qasd_t
> policykit_t:fifo_file { write getattr }; allow qasd_t
> postfix_pickup_t:fifo_file { write getattr }; allow qasd_t
> postfix_qmgr_t:fifo_file { write getattr }; allow qasd_t
> xdm_dbusd_t:fifo_file { write getattr };
>
> audit(1392243659.181:125): # scontext="system_u:system_r:qasd_t:s0"
> tcontext="unconfined_u:system_r:httpd_t:s0" # class="fifo_file"
> perms="write" # comm=".qasd" exe="" path="" # message="type=AVC
> msg=audit(1392243659.181:125): avc: denied { write } for # pid=1270
> comm=".vasd" path="pipe:[22222]" dev=pipefs ino=22222 #
> scontext=system_u:system_r:qasd_t:s0 #
> tcontext=unconfined_u:system_r:httpd_t:s0 tclass=fifo_file
On all SELinux systems you can allow all domains to do this by allowing 'domain".
So you want to create an interface qasd_stream_connect, and then call it with
domain
qasd_stream_connect(domain)
On newer systems from Fedora/RHEL7, you could use the attribute
nsswitch_domain which is all domains that call getpw*
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlL81l4ACgkQrlYvE4MpobOmWgCfVL18uFl6fsJc6XO1pc+3JGaj
5coAnjeNwapBdJxh3UtNh0/mebQAWCYx
=SXXd
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
