How do I generically allow access to a single socket file

Daniel J Walsh dwalsh at redhat.com
Thu Feb 13 16:40:36 UTC 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/13/2014 11:18 AM, Jayson Hurst wrote:
> Thanks,
> 
> I am currently doing some similar to that and I didn't know if that was 
> considered too open.
> 
Well we do this for lots of stuff that needs to talk to sssd for example for
authorization.  It just means that you app needs to be able to handle any
process from the system being able to talk to the socket, SELinux will not
provide you protections.  But since most apps will do getpw, this is the
nature of your app.  Don't have any bugs in your app.  :^)


>> Date: Thu, 13 Feb 2014 09:27:42 -0500 From: dwalsh at redhat.com To:
>> swazup at hotmail.com; selinux at lists.fedoraproject.org Subject: Re: How do I
>> generically allow access to a single socket file
>> 
> On 02/12/2014 05:51 PM, Jayson Hurst wrote:
>> All of the following audit messages are connected to the file:
> 
>> /var/opt/quest/vas/vasd/.vasd40_ipc_sock
> 
>> What is the preferred way to grant the appropriate access to the file
>> when the domain that is going to need access to it is unknown? The
>> context type when I am done will probably be qasd_var_auth_t, although I
>> am not sure that matters at this point.
> 
>> #============= hald_t ============== allow hald_t var_auth_t:sock_file 
>> write;
> 
>> #============= httpd_t ============== allow httpd_t var_auth_t:dir
>> search; allow httpd_t var_auth_t:sock_file write;
> 
>> #============= policykit_t ============== allow policykit_t
>> var_auth_t:dir search; allow policykit_t var_auth_t:sock_file write;
> 
>> #============= postfix_pickup_t ============== allow postfix_pickup_t 
>> var_auth_t:dir search; allow postfix_pickup_t var_auth_t:sock_file
>> write; allow postfix_pickup_t qasd_t:unix_stream_socket connectto;
> 
>> #============= postfix_qmgr_t ============== allow postfix_qmgr_t 
>> var_auth_t:dir search; allow postfix_qmgr_t var_auth_t:sock_file write; 
>> allow postfix_qmgr_t qasd_t:unix_stream_socket connectto;
> 
>> #============= system_dbusd_t ============== allow system_dbusd_t 
>> var_auth_t:sock_file write; allow system_dbusd_t
>> qasd_t:unix_stream_socket connectto;
> 
>> #============= xdm_dbusd_t ============== allow xdm_dbusd_t
>> var_auth_t:dir search; allow xdm_dbusd_t var_auth_t:sock_file write;
>> allow xdm_dbusd_t qasd_t:unix_stream_socket connectto;
> 
>> #============= xdm_t ============== allow xdm_t
>> qasd_t:unix_stream_socket connectto;
> 
>> # audit(1392243009.026:13): # 
>> scontext="system_u:system_r:postfix_qmgr_t:s0" 
>> tcontext="system_u:system_r:qasd_t:s0" # class="unix_stream_socket" 
>> perms="connectto" # comm="qmgr" exe="" path="" # message="type=AVC 
>> msg=audit(1392243009.026:13): avc: denied { connectto } # for pid=1674 
>> comm="qmgr" path="/var/opt/quest/vas/vasd/.vasd40_ipc_sock" # 
>> scontext=system_u:system_r:postfix_qmgr_t:s0 # 
>> tcontext=system_u:system_r:qasd_t:s0 tclass=unix_stream_socket"
> 
>> I am also seeing the reverse of this with fifo_files (grant myself
>> write, getattr access) to an unknown domain.
> 
>> allow qasd_t httpd_t:fifo_file { write getattr }; allow qasd_t 
>> policykit_t:fifo_file { write getattr }; allow qasd_t 
>> postfix_pickup_t:fifo_file { write getattr }; allow qasd_t 
>> postfix_qmgr_t:fifo_file { write getattr }; allow qasd_t 
>> xdm_dbusd_t:fifo_file { write getattr };
> 
>> audit(1392243659.181:125): # scontext="system_u:system_r:qasd_t:s0" 
>> tcontext="unconfined_u:system_r:httpd_t:s0" # class="fifo_file" 
>> perms="write" # comm=".qasd" exe="" path="" # message="type=AVC 
>> msg=audit(1392243659.181:125): avc: denied { write } for # pid=1270 
>> comm=".vasd" path="pipe:[22222]" dev=pipefs ino=22222 # 
>> scontext=system_u:system_r:qasd_t:s0 # 
>> tcontext=unconfined_u:system_r:httpd_t:s0 tclass=fifo_file
> 
> On all SELinux systems you can allow all domains to do this by allowing
> 'domain".
> 
> So you want to create an interface qasd_stream_connect, and then call it
> with domain
> 
> qasd_stream_connect(domain)
> 
> On newer systems from Fedora/RHEL7, you could use the attribute 
> nsswitch_domain which is all domains that call getpw*
> 
> 
> 
> 
> -- selinux mailing list selinux at lists.fedoraproject.org 
> https://admin.fedoraproject.org/mailman/listinfo/selinux
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlL89YQACgkQrlYvE4MpobNZNgCfYaTphZ8gNIXmkSDFCfSF4Bly
PlYAoOknFc0260wBqBT1gD+uhnM6FAYJ
=Q8Rr
-----END PGP SIGNATURE-----

More information about the selinux mailing list