> Date: Thu, 20 Feb 2014 12:48:53 -0500
> From:
dwalsh@xxxxxxxxxx
> To:
swazup@xxxxxxxxxxx;
selinux@xxxxxxxxxxxxxxxxxxxxxxx
> Subject: Re: Correct way to use booleans
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 02/20/2014 11:30 AM, Jayson Hurst wrote:
> > So it sounds like booleans are meant to be set by
the admin if they need
> > that sort of thing on. In the case of samba if the
admin wanted to share
> > out user directories they would need to turn on a
boolean that would allow
> > them to do so like samba_enable_home_dirs.
> >
> > I see a few different files in /tmp that are
labelled as tmp_t, but the
> > ones I care about are the krb5cc_X files. If I use
kinit to generate the
> > krb5cc file it is labelled as user_tmp_t but if I
login through
> > ssh,local_login, gdm, etc... they get created as
tmp_t. Seeing that my
> > daemon is responsible for kerberos login I can only
guess that it is
> > generating them incorrectly. In my SELinux module
should I have a
> > transition for files created in tmp to have them
created as user_tmp_t or
> > is there a better way?
> >
> Well are you in permissive mode? Are you using standard
Fedora packages or
> something different? Login/sshd should be creating these
files as user_tmp_t.
>
>
> >> Date: Thu, 20 Feb 2014 08:03:44 -0500 From:
dwalsh@xxxxxxxxxx To:
> >>
swazup@xxxxxxxxxxx;
selinux@xxxxxxxxxxxxxxxxxxxxxxx Subject: Re: Correct
> >> way to use booleans
> >>
> > On 02/19/2014 08:20 PM, Jayson Hurst wrote:
> >> Audit2Allow is suggesting that a boolean be
turned on.
> >
> >> #!!!! This avc can be allowed using the boolean
'allow_ypbind'
> >
> >> allow vasd_t ldap_port_t:tcp_socket name_bind;
> >
> >> setsebool -P allow_ypbind 1
> >
> >> Should this boolean be enabled via my domains
policy, or is this
> >> something the system administrator should turn
on if they know they will
> >> be using NIS?
> >
> > Only the system admin should turn this on in an NIS
environment. This is
> > an incredibly permissive boolean. Allows all
processes to use any network
> > port.
> >
> >> The same question can be asked for other things
like http and samba.
> >> #!!!! This avc can be allowed using one of the
these booleans: #
> >> samba_export_all_ro, samba_export_all_rw
> >
> >> allow smbd_t tmp_t:file getattr;
> > There really should not be tmp_t files on a system.
Any idea how this file
> > got created? smbd_t in permissive mode?
> >
> >> #!!!! This avc can be allowed using one of the
these booleans: #
> >> samba_create_home_dirs, samba_export_all_rw
> >
> >> allow smbd_t user_home_dir_t:dir { write create
add_name };
> >
> >> setsebool -P samba_export_all_rw 1
> >
> >
> >
> >
> >
> >> -- selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
> >>
https://admin.fedoraproject.org/mailman/listinfo/selinux
> >
> > If a user is exporting the home dirs it would be
better to use
> > samba_enable_home_dirs
> >
> > But if he is sharing the entire system then use
samba_export_all_rw
> >
> >
> >
> >
> > -- selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
> >
https://admin.fedoraproject.org/mailman/listinfo/selinux
> >
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
> Comment: Using GnuPG with Thunderbird -
http://www.enigmail.net/
>
>
iEYEARECAAYFAlMGQAUACgkQrlYvE4MpobMiuwCePDvZd/9kwNGYDfsjoZHgi1F/
> pHoAn05t4SFE75eS8GEDKBWuuRLG5BWf
> =jZN7
> -----END PGP SIGNATURE-----