|
Thanks, I am currently doing some similar to that and I didn't know if that was considered too open. > Date: Thu, 13 Feb 2014 09:27:42 -0500 > From: dwalsh@xxxxxxxxxx > To: swazup@xxxxxxxxxxx; selinux@xxxxxxxxxxxxxxxxxxxxxxx > Subject: Re: How do I generically allow access to a single socket file > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 02/12/2014 05:51 PM, Jayson Hurst wrote: > > All of the following audit messages are connected to the file: > > > > /var/opt/quest/vas/vasd/.vasd40_ipc_sock > > > > What is the preferred way to grant the appropriate access to the file when > > the domain that is going to need access to it is unknown? The context type > > when I am done will probably be qasd_var_auth_t, although I am not sure > > that matters at this point. > > > > #============= hald_t ============== allow hald_t var_auth_t:sock_file > > write; > > > > #============= httpd_t ============== allow httpd_t var_auth_t:dir search; > > allow httpd_t var_auth_t:sock_file write; > > > > #============= policykit_t ============== allow policykit_t var_auth_t:dir > > search; allow policykit_t var_auth_t:sock_file write; > > > > #============= postfix_pickup_t ============== allow postfix_pickup_t > > var_auth_t:dir search; allow postfix_pickup_t var_auth_t:sock_file write; > > allow postfix_pickup_t qasd_t:unix_stream_socket connectto; > > > > #============= postfix_qmgr_t ============== allow postfix_qmgr_t > > var_auth_t:dir search; allow postfix_qmgr_t var_auth_t:sock_file write; > > allow postfix_qmgr_t qasd_t:unix_stream_socket connectto; > > > > #============= system_dbusd_t ============== allow system_dbusd_t > > var_auth_t:sock_file write; allow system_dbusd_t qasd_t:unix_stream_socket > > connectto; > > > > #============= xdm_dbusd_t ============== allow xdm_dbusd_t var_auth_t:dir > > search; allow xdm_dbusd_t var_auth_t:sock_file write; allow xdm_dbusd_t > > qasd_t:unix_stream_socket connectto; > > > > #============= xdm_t ============== allow xdm_t qasd_t:unix_stream_socket > > connectto; > > > > # audit(1392243009.026:13): # > > scontext="system_u:system_r:postfix_qmgr_t:s0" > > tcontext="system_u:system_r:qasd_t:s0" # class="unix_stream_socket" > > perms="connectto" # comm="qmgr" exe="" path="" # message="type=AVC > > msg=audit(1392243009.026:13): avc: denied { connectto } # for pid=1674 > > comm="qmgr" path="/var/opt/quest/vas/vasd/.vasd40_ipc_sock" # > > scontext=system_u:system_r:postfix_qmgr_t:s0 # > > tcontext=system_u:system_r:qasd_t:s0 tclass=unix_stream_socket" > > > > I am also seeing the reverse of this with fifo_files (grant myself write, > > getattr access) to an unknown domain. > > > > allow qasd_t httpd_t:fifo_file { write getattr }; allow qasd_t > > policykit_t:fifo_file { write getattr }; allow qasd_t > > postfix_pickup_t:fifo_file { write getattr }; allow qasd_t > > postfix_qmgr_t:fifo_file { write getattr }; allow qasd_t > > xdm_dbusd_t:fifo_file { write getattr }; > > > > audit(1392243659.181:125): # scontext="system_u:system_r:qasd_t:s0" > > tcontext="unconfined_u:system_r:httpd_t:s0" # class="fifo_file" > > perms="write" # comm=".qasd" exe="" path="" # message="type=AVC > > msg=audit(1392243659.181:125): avc: denied { write } for # pid=1270 > > comm=".vasd" path="pipe:[22222]" dev=pipefs ino=22222 # > > scontext=system_u:system_r:qasd_t:s0 # > > tcontext=unconfined_u:system_r:httpd_t:s0 tclass=fifo_file > > On all SELinux systems you can allow all domains to do this by allowing 'domain". > > So you want to create an interface qasd_stream_connect, and then call it with > domain > > qasd_stream_connect(domain) > > On newer systems from Fedora/RHEL7, you could use the attribute > nsswitch_domain which is all domains that call getpw* > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1 > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iEYEARECAAYFAlL81l4ACgkQrlYvE4MpobOmWgCfVL18uFl6fsJc6XO1pc+3JGaj > 5coAnjeNwapBdJxh3UtNh0/mebQAWCYx > =SXXd > -----END PGP SIGNATURE----- |
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
