making a file context change work for initrc_t and unconfined_t
Dominick Grift
dominick.grift at gmail.com
Wed Feb 1 18:32:34 UTC 2012
On Tue, 2012-01-31 at 17:33 -0500, Maria Iano wrote:
> I have a RHEL 6.2 server running LikewiseOpen. It appears to me that I
> will take care of a large number of denials if I can change the type
> of /var/lib/likewise/.lsassd to be lsassd_var_socket_t.
>
> I added the file context rule with semanage, and used restorecon to
> change it to lsassd_var_socket_t as desired. But later I found that /
> var/lib/likewise/.lsassd had type var_lib_t again. I assume that is
> because the likewise processes run as initrc_t.
Why are the likewise processes running in initrc_t?
Are the likewise executable files in their proper location:
/usr/sbin/dcerpcd -- gen_context(system_u:object_r:dcerpcd_exec_t,s0)
/usr/sbin/eventlogd --
gen_context(system_u:object_r:eventlogd_exec_t,s0)
/usr/sbin/lsassd -- gen_context(system_u:object_r:lsassd_exec_t,s0)
/usr/sbin/lwiod -- gen_context(system_u:object_r:lwiod_exec_t,s0)
/usr/sbin/lwregd -- gen_context(system_u:object_r:lwregd_exec_t,s0)
/usr/sbin/lwsmd -- gen_context(system_u:object_r:lwsmd_exec_t,s0)
/usr/sbin/netlogond --
gen_context(system_u:object_r:netlogond_exec_t,s0)
/usr/sbin/srvsvcd -- gen_context(system_u:object_r:srvsvcd_exec_t,s0)
> I'd like to change the policy and tell it that services running in
> either initrc_t or unconfined_t domains should create the file /var/
> lib/likewise/.lsassd with type lsassd_var_socket_t. (A command line
> tool lwsm for managing the processes runs in unconfined_t so I'd like
> to include that domain to be safe. ) How can I go about doing that in
> RHEL 6 (or can I)?
That is not possible but if you label /var/lib/likewise:
semanage fcontext -a -t likewise_var_lib_t "/var/lib/likewise(/.*)?"
And configure restorecond to watch /var/lib/likewise then the file will
be reset to the proper type when restorecond notices that its
mislabeled.
The policy for likewise was written by the people of likewise. I helped
with it a bit. I think we collaborated on the selinux maillist but i
could not find the thread about it in short noticed. (i was looking for
the e-mail address of the likewise policy author so that i can ask him
to see if the policy is still up-to-date)
It may be that the policy is not maintained optimally.
Maybe you can help us revisit it?
> Thanks,
> Maria
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
More information about the selinux
mailing list