Correct way to use booleans

Fri Feb 21 09:10:18 UTC 2014

On 02/20/2014 07:41 PM, Jayson Hurst wrote:
> I am running in permissive mode, my module is in permissive mode.
>
> I am actually running on RHEL 6.0.
>
> So in this scenario even though my daemon is authenticating the user 
> it is not responsible for context that the krb5cc_xxx file gets 
> created as?

What daemon?

How does your local policy look?
>
> > Date: Thu, 20 Feb 2014 12:48:53 -0500
> > From: dwalsh at redhat.com
> > To: swazup at hotmail.com; selinux at lists.fedoraproject.org
> > Subject: Re: Correct way to use booleans
> >
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > On 02/20/2014 11:30 AM, Jayson Hurst wrote:
> > > So it sounds like booleans are meant to be set by the admin if 
> they need
> > > that sort of thing on. In the case of samba if the admin wanted to 
> share
> > > out user directories they would need to turn on a boolean that 
> would allow
> > > them to do so like samba_enable_home_dirs.
> > >
> > > I see a few different files in /tmp that are labelled as tmp_t, 
> but the
> > > ones I care about are the krb5cc_X files. If I use kinit to 
> generate the
> > > krb5cc file it is labelled as user_tmp_t but if I login through
> > > ssh,local_login, gdm, etc... they get created as tmp_t. Seeing that my
> > > daemon is responsible for kerberos login I can only guess that it is
> > > generating them incorrectly. In my SELinux module should I have a
> > > transition for files created in tmp to have them created as 
> user_tmp_t or
> > > is there a better way?
> > >
> > Well are you in permissive mode? Are you using standard Fedora 
> packages or
> > something different? Login/sshd should be creating these files as 
> user_tmp_t.
> >
> >
> > >> Date: Thu, 20 Feb 2014 08:03:44 -0500 From: dwalsh at redhat.com To:
> > >> swazup at hotmail.com; selinux at lists.fedoraproject.org Subject: Re: 
> Correct
> > >> way to use booleans
> > >>
> > > On 02/19/2014 08:20 PM, Jayson Hurst wrote:
> > >> Audit2Allow is suggesting that a boolean be turned on.
> > >
> > >> #!!!! This avc can be allowed using the boolean 'allow_ypbind'
> > >
> > >> allow vasd_t ldap_port_t:tcp_socket name_bind;
> > >
> > >> setsebool -P allow_ypbind 1
> > >
> > >> Should this boolean be enabled via my domains policy, or is this
> > >> something the system administrator should turn on if they know 
> they will
> > >> be using NIS?
> > >
> > > Only the system admin should turn this on in an NIS environment. 
> This is
> > > an incredibly permissive boolean. Allows all processes to use any 
> network
> > > port.
> > >
> > >> The same question can be asked for other things like http and samba.
> > >> #!!!! This avc can be allowed using one of the these booleans: #
> > >> samba_export_all_ro, samba_export_all_rw
> > >
> > >> allow smbd_t tmp_t:file getattr;
> > > There really should not be tmp_t files on a system. Any idea how 
> this file
> > > got created? smbd_t in permissive mode?
> > >
> > >> #!!!! This avc can be allowed using one of the these booleans: #
> > >> samba_create_home_dirs, samba_export_all_rw
> > >
> > >> allow smbd_t user_home_dir_t:dir { write create add_name };
> > >
> > >> setsebool -P samba_export_all_rw 1
> > >
> > >
> > >
> > >
> > >
> > >> -- selinux mailing list selinux at lists.fedoraproject.org
> > >> https://admin.fedoraproject.org/mailman/listinfo/selinux
> > >
> > > If a user is exporting the home dirs it would be better to use
> > > samba_enable_home_dirs
> > >
> > > But if he is sharing the entire system then use samba_export_all_rw
> > >
> > >
> > >
> > >
> > > -- selinux mailing list selinux at lists.fedoraproject.org
> > > https://admin.fedoraproject.org/mailman/listinfo/selinux
> > >
> >
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1
> > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
> >
> > iEYEARECAAYFAlMGQAUACgkQrlYvE4MpobMiuwCePDvZd/9kwNGYDfsjoZHgi1F/
> > pHoAn05t4SFE75eS8GEDKBWuuRLG5BWf
> > =jZN7
> > -----END PGP SIGNATURE-----
>
>
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/selinux/attachments/20140221/2d89bb83/attachment.html>