-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 02/20/2014 11:30 AM, Jayson Hurst wrote:
> So it sounds like booleans are meant to be set by the admin if they need
> that sort of thing on. In the case of samba if the admin wanted to share
> out user directories they would need to turn on a boolean that would allow
> them to do so like samba_enable_home_dirs.
>
> I see a few different files in /tmp that are labelled as tmp_t, but the
> ones I care about are the krb5cc_X files. If I use kinit to generate the
> krb5cc file it is labelled as user_tmp_t but if I login through
> ssh,local_login, gdm, etc... they get created as tmp_t. Seeing that my
> daemon is responsible for kerberos login I can only guess that it is
> generating them incorrectly. In my SELinux module should I have a
> transition for files created in tmp to have them created as user_tmp_t or
> is there a better way?
>
Well are you in permissive mode? Are you using standard Fedora packages or
something different? Login/sshd should be creating these files as user_tmp_t.
>> Date: Thu, 20 Feb 2014 08:03:44 -0500 From: dwalsh@xxxxxxxxxx To:
>> swazup@xxxxxxxxxxx; selinux@xxxxxxxxxxxxxxxxxxxxxxx Subject: Re: Correct
>> way to use booleans
>>
> On 02/19/2014 08:20 PM, Jayson Hurst wrote:
>> Audit2Allow is suggesting that a boolean be turned on.
>
>> #!!!! This avc can be allowed using the boolean 'allow_ypbind'
>
>> allow vasd_t ldap_port_t:tcp_socket name_bind;
>
>> setsebool -P allow_ypbind 1
>
>> Should this boolean be enabled via my domains policy, or is this
>> something the system administrator should turn on if they know they will
>> be using NIS?
>
> Only the system admin should turn this on in an NIS environment. This is
> an incredibly permissive boolean. Allows all processes to use any network
> port.
>
>> The same question can be asked for other things like http and samba.
>> #!!!! This avc can be allowed using one of the these booleans: #
>> samba_export_all_ro, samba_export_all_rw
>
>> allow smbd_t tmp_t:file getattr;
> There really should not be tmp_t files on a system. Any idea how this file
> got created? smbd_t in permissive mode?
>
>> #!!!! This avc can be allowed using one of the these booleans: #
>> samba_create_home_dirs, samba_export_all_rw
>
>> allow smbd_t user_home_dir_t:dir { write create add_name };
>
>> setsebool -P samba_export_all_rw 1
>
>
>
>
>
>> -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
> If a user is exporting the home dirs it would be better to use
> samba_enable_home_dirs
>
> But if he is sharing the entire system then use samba_export_all_rw
>
>
>
>
> -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlMGQAUACgkQrlYvE4MpobMiuwCePDvZd/9kwNGYDfsjoZHgi1F/
pHoAn05t4SFE75eS8GEDKBWuuRLG5BWf
=jZN7
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
