-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 02/19/2014 08:20 PM, Jayson Hurst wrote:
> Audit2Allow is suggesting that a boolean be turned on.
>
> #!!!! This avc can be allowed using the boolean 'allow_ypbind'
>
> allow vasd_t ldap_port_t:tcp_socket name_bind;
>
> setsebool -P allow_ypbind 1
>
> Should this boolean be enabled via my domains policy, or is this something
> the system administrator should turn on if they know they will be using
> NIS?
>
Only the system admin should turn this on in an NIS environment. This is an
incredibly permissive boolean. Allows all processes to use any network port.
> The same question can be asked for other things like http and samba. #!!!!
> This avc can be allowed using one of the these booleans: #
> samba_export_all_ro, samba_export_all_rw
>
> allow smbd_t tmp_t:file getattr;
There really should not be tmp_t files on a system. Any idea how this file
got created? smbd_t in permissive mode?
> #!!!! This avc can be allowed using one of the these booleans: #
> samba_create_home_dirs, samba_export_all_rw
>
> allow smbd_t user_home_dir_t:dir { write create add_name };
>
> setsebool -P samba_export_all_rw 1
>
>
>
>
>
> -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
If a user is exporting the home dirs it would be better to use
samba_enable_home_dirs
But if he is sharing the entire system then use samba_export_all_rw
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlMF/TAACgkQrlYvE4MpobMN+gCg08PlPOaB43Nz9roPpjJ2y4vP
bDwAnRm8tguT3laMqY1sz3T0eaKUzcnI
=Wvgh
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
