On Jul 23, 2013, at 11:14 AM, Tony Scully <tonyjscully(a)gmail.com> wrote:
Hi Vadym,
In fact vasd just runs unconfined under selinux; the issue you have is that sshd is
running in the sshd_t context, but need to access some files, the vasd cache (I think
it's via PAM) in /var/opt/quest/vas.
Quest (now Dell) do provide a policy file which allows sshd to access these files,
here's the text version:
module sshdqas 1.0;
require {
type semanage_t;
type var_t;
type sshd_t;
type initrc_t;
class sock_file write;
class unix_stream_socket connectto;
class file { read write getattr open };
}
#============= semanage_t ==============
allow semanage_t var_t:sock_file write;
#============= sshd_t ==============
allow sshd_t initrc_t:unix_stream_socket connectto;
allow sshd_t var_t:file open;
allow sshd_t var_t:file { read write getattr };
allow sshd_t var_t:sock_file write;
Which as you can see, just allows sshd to access var_t labelled files -- might be
considered too permssive?
But vasd itself should run ( and is 'supported') unconfined under selinux.
It looks like a workaround to me, not a proper policy, but at least I don’t have do
disable SELinux.
I ended up with this:
module qas 1.0;
require {
type var_auth_t;
type sshd_t;
type system_dbusd_t;
type initrc_t;
class sock_file write;
class unix_stream_socket connectto;
class file { read write getattr open };
}
allow sshd_t initrc_t:unix_stream_socket connectto;
allow sshd_t var_auth_t:file { open read write getattr };
allow sshd_t var_auth_t:sock_file write;
allow system_dbusd_t initrc_t:unix_stream_socket connectto;
allow system_dbusd_t var_auth_t:file { open read write getattr };
allow system_dbusd_t var_auth_t:sock_file write;
Thanks,
Vadym