RE: Correct way to use booleans

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I am running in permissive mode, my module is in permissive mode.

I am actually running on RHEL 6.0.

So in this scenario even though my daemon is authenticating the user it is not responsible for context that the krb5cc_xxx file gets created as?

> Date: Thu, 20 Feb 2014 12:48:53 -0500
> From: dwalsh@xxxxxxxxxx
> To: swazup@xxxxxxxxxxx; selinux@xxxxxxxxxxxxxxxxxxxxxxx
> Subject: Re: Correct way to use booleans
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 02/20/2014 11:30 AM, Jayson Hurst wrote:
> > So it sounds like booleans are meant to be set by the admin if they need
> > that sort of thing on. In the case of samba if the admin wanted to share
> > out user directories they would need to turn on a boolean that would allow
> > them to do so like samba_enable_home_dirs.
> >
> > I see a few different files in /tmp that are labelled as tmp_t, but the
> > ones I care about are the krb5cc_X files. If I use kinit to generate the
> > krb5cc file it is labelled as user_tmp_t but if I login through
> > ssh,local_login, gdm, etc... they get created as tmp_t. Seeing that my
> > daemon is responsible for kerberos login I can only guess that it is
> > generating them incorrectly. In my SELinux module should I have a
> > transition for files created in tmp to have them created as user_tmp_t or
> > is there a better way?
> >
> Well are you in permissive mode? Are you using standard Fedora packages or
> something different? Login/sshd should be creating these files as user_tmp_t.
>
>
> >> Date: Thu, 20 Feb 2014 08:03:44 -0500 From: dwalsh@xxxxxxxxxx To:
> >> swazup@xxxxxxxxxxx; selinux@xxxxxxxxxxxxxxxxxxxxxxx Subject: Re: Correct
> >> way to use booleans
> >>
> > On 02/19/2014 08:20 PM, Jayson Hurst wrote:
> >> Audit2Allow is suggesting that a boolean be turned on.
> >
> >> #!!!! This avc can be allowed using the boolean 'allow_ypbind'
> >
> >> allow vasd_t ldap_port_t:tcp_socket name_bind;
> >
> >> setsebool -P allow_ypbind 1
> >
> >> Should this boolean be enabled via my domains policy, or is this
> >> something the system administrator should turn on if they know they will
> >> be using NIS?
> >
> > Only the system admin should turn this on in an NIS environment. This is
> > an incredibly permissive boolean. Allows all processes to use any network
> > port.
> >
> >> The same question can be asked for other things like http and samba.
> >> #!!!! This avc can be allowed using one of the these booleans: #
> >> samba_export_all_ro, samba_export_all_rw
> >
> >> allow smbd_t tmp_t:file getattr;
> > There really should not be tmp_t files on a system. Any idea how this file
> > got created? smbd_t in permissive mode?
> >
> >> #!!!! This avc can be allowed using one of the these booleans: #
> >> samba_create_home_dirs, samba_export_all_rw
> >
> >> allow smbd_t user_home_dir_t:dir { write create add_name };
> >
> >> setsebool -P samba_export_all_rw 1
> >
> >
> >
> >
> >
> >> -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx
> >> https://admin.fedoraproject.org/mailman/listinfo/selinux
> >
> > If a user is exporting the home dirs it would be better to use
> > samba_enable_home_dirs
> >
> > But if he is sharing the entire system then use samba_export_all_rw
> >
> >
> >
> >
> > -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx
> > https://admin.fedoraproject.org/mailman/listinfo/selinux
> >
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iEYEARECAAYFAlMGQAUACgkQrlYvE4MpobMiuwCePDvZd/9kwNGYDfsjoZHgi1F/
> pHoAn05t4SFE75eS8GEDKBWuuRLG5BWf
> =jZN7
> -----END PGP SIGNATURE-----
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux