making a file context change work for initrc_t and unconfined_t

Dominick Grift dominick.grift at gmail.com
Wed Feb 1 18:32:34 UTC 2012 

On Tue, 2012-01-31 at 17:33 -0500, Maria Iano wrote:
> I have a RHEL 6.2 server running LikewiseOpen. It appears to me that I  
> will take care of a large number of denials if I can change the type  
> of /var/lib/likewise/.lsassd to be lsassd_var_socket_t.
> 
> I added the file context rule with semanage, and used restorecon to  
> change it to lsassd_var_socket_t as desired. But later I found that / 
> var/lib/likewise/.lsassd had type var_lib_t again. I assume that is  
> because the likewise processes run as initrc_t.

Why are the likewise processes running in initrc_t?

Are the likewise executable files in their proper location:

/usr/sbin/dcerpcd			--	gen_context(system_u:object_r:dcerpcd_exec_t,s0)
/usr/sbin/eventlogd			--
gen_context(system_u:object_r:eventlogd_exec_t,s0)
/usr/sbin/lsassd			--	gen_context(system_u:object_r:lsassd_exec_t,s0)
/usr/sbin/lwiod				--	gen_context(system_u:object_r:lwiod_exec_t,s0)
/usr/sbin/lwregd			--	gen_context(system_u:object_r:lwregd_exec_t,s0)
/usr/sbin/lwsmd				--	gen_context(system_u:object_r:lwsmd_exec_t,s0)
/usr/sbin/netlogond			--
gen_context(system_u:object_r:netlogond_exec_t,s0)
/usr/sbin/srvsvcd			--	gen_context(system_u:object_r:srvsvcd_exec_t,s0)

> I'd like to change the policy and tell it that services running in  
> either initrc_t or unconfined_t domains should create the file /var/ 
> lib/likewise/.lsassd with type lsassd_var_socket_t. (A command line  
> tool lwsm for managing the processes runs in unconfined_t so I'd like  
> to include that domain to be safe. ) How can I go about doing that in  
> RHEL 6 (or can I)?

That is not possible but if you label /var/lib/likewise:

semanage fcontext -a -t likewise_var_lib_t "/var/lib/likewise(/.*)?"

And configure restorecond to watch /var/lib/likewise then the file will
be reset to the proper type when restorecond notices that its
mislabeled.

The policy for likewise was written by the people of likewise. I helped
with it a bit. I think we collaborated on the selinux maillist but i
could not find the thread about it in short noticed. (i was looking for
the e-mail address of the likewise policy author so that i can ask him
to see if the policy is still up-to-date) 

It may be that the policy is not maintained optimally. 

Maybe you can help us revisit it?

> Thanks,
> Maria
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux

More information about the selinux mailing list