making a file context change work for initrc_t and unconfined_t

Daniel J Walsh dwalsh at redhat.com
Wed Feb 1 16:50:05 UTC 2012 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/01/2012 11:37 AM, Maria Iano wrote:
> 
> On Feb 1, 2012, at 11:30 AM, Daniel J Walsh wrote:
> 
>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>> 
>> On 01/31/2012 05:33 PM, Maria Iano wrote:
>>> I have a RHEL 6.2 server running LikewiseOpen. It appears to
>>> me that I will take care of a large number of denials if I can
>>> change the type of /var/lib/likewise/.lsassd to be
>>> lsassd_var_socket_t.
>>> 
>>> I added the file context rule with semanage, and used
>>> restorecon to change it to lsassd_var_socket_t as desired. But
>>> later I found that /var/lib/likewise/.lsassd had type var_lib_t
>>> again. I assume that is because the likewise processes run as
>>> initrc_t.
>>> 
>>> I'd like to change the policy and tell it that services running
>>> in either initrc_t or unconfined_t domains should create the
>>> file /var/lib/likewise/.lsassd with type lsassd_var_socket_t.
>>> (A command line tool lwsm for managing the processes runs in
>>> unconfined_t so I'd like to include that domain to be safe. )
>>> How can I go about doing that in RHEL 6 (or can I)?
>>> 
>>> Thanks, Maria -- selinux mailing list 
>>> selinux at lists.fedoraproject.org 
>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>> 
>> What label do you have on /var/lib/likewise?
> 
> system_u:object_r:var_lib_t:s0
In that case why not just label it lsassd_var_lib_t

Currently the labeling is

/var/lib/likewise-open(/.*)?
gen_context(system_u:object_r:likewise_var_lib_t,s0)


If you label it similar, then you have a step in the right direction.

I am not sure who wrote policy for the likewise domain, but I think I
would eliminate all of the different labels.  But I guess that is the
way it is.

If unconfined_t is creating a socket in the directory then I guess it
would be listening on the socket, but other domains would not be
allowed to communicate.

One potential option if you got all of the labeling correct would be
to use restorecond.



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk8pbT0ACgkQrlYvE4MpobMsQACfVA416d9geryTUiCEbRbiv22I
qdIAoMr3WAJI28iH7P0Bg33f6h8ehu+I
=RtZf
-----END PGP SIGNATURE-----

More information about the selinux mailing list