|
I am running in permissive mode, my module is in permissive mode.
I am actually running on RHEL 6.0. So in this scenario even though my daemon is authenticating the user it is not responsible for context that the krb5cc_xxx file gets created as? > Date: Thu, 20 Feb 2014 12:48:53 -0500 > From: dwalsh@xxxxxxxxxx > To: swazup@xxxxxxxxxxx; selinux@xxxxxxxxxxxxxxxxxxxxxxx > Subject: Re: Correct way to use booleans > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 02/20/2014 11:30 AM, Jayson Hurst wrote: > > So it sounds like booleans are meant to be set by the admin if they need > > that sort of thing on. In the case of samba if the admin wanted to share > > out user directories they would need to turn on a boolean that would allow > > them to do so like samba_enable_home_dirs. > > > > I see a few different files in /tmp that are labelled as tmp_t, but the > > ones I care about are the krb5cc_X files. If I use kinit to generate the > > krb5cc file it is labelled as user_tmp_t but if I login through > > ssh,local_login, gdm, etc... they get created as tmp_t. Seeing that my > > daemon is responsible for kerberos login I can only guess that it is > > generating them incorrectly. In my SELinux module should I have a > > transition for files created in tmp to have them created as user_tmp_t or > > is there a better way? > > > Well are you in permissive mode? Are you using standard Fedora packages or > something different? Login/sshd should be creating these files as user_tmp_t. > > > >> Date: Thu, 20 Feb 2014 08:03:44 -0500 From: dwalsh@xxxxxxxxxx To: > >> swazup@xxxxxxxxxxx; selinux@xxxxxxxxxxxxxxxxxxxxxxx Subject: Re: Correct > >> way to use booleans > >> > > On 02/19/2014 08:20 PM, Jayson Hurst wrote: > >> Audit2Allow is suggesting that a boolean be turned on. > > > >> #!!!! This avc can be allowed using the boolean 'allow_ypbind' > > > >> allow vasd_t ldap_port_t:tcp_socket name_bind; > > > >> setsebool -P allow_ypbind 1 > > > >> Should this boolean be enabled via my domains policy, or is this > >> something the system administrator should turn on if they know they will > >> be using NIS? > > > > Only the system admin should turn this on in an NIS environment. This is > > an incredibly permissive boolean. Allows all processes to use any network > > port. > > > >> The same question can be asked for other things like http and samba. > >> #!!!! This avc can be allowed using one of the these booleans: # > >> samba_export_all_ro, samba_export_all_rw > > > >> allow smbd_t tmp_t:file getattr; > > There really should not be tmp_t files on a system. Any idea how this file > > got created? smbd_t in permissive mode? > > > >> #!!!! This avc can be allowed using one of the these booleans: # > >> samba_create_home_dirs, samba_export_all_rw > > > >> allow smbd_t user_home_dir_t:dir { write create add_name }; > > > >> setsebool -P samba_export_all_rw 1 > > > > > > > > > > > >> -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx > >> https://admin.fedoraproject.org/mailman/listinfo/selinux > > > > If a user is exporting the home dirs it would be better to use > > samba_enable_home_dirs > > > > But if he is sharing the entire system then use samba_export_all_rw > > > > > > > > > > -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx > > https://admin.fedoraproject.org/mailman/listinfo/selinux > > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1 > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iEYEARECAAYFAlMGQAUACgkQrlYvE4MpobMiuwCePDvZd/9kwNGYDfsjoZHgi1F/ > pHoAn05t4SFE75eS8GEDKBWuuRLG5BWf > =jZN7 > -----END PGP SIGNATURE----- |
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
