<div dir="ltr"><div><div>Hi Vadym,<br><br>In fact vasd just runs unconfined under selinux; the issue you have is that sshd is running in the sshd_t context, but need to access some files, the vasd cache (I think it's via PAM) in /var/opt/quest/vas.<br>
<br></div>Quest (now Dell) do provide a policy file which allows sshd to access these files, here's the text version:<br><br><br>module sshdqas 1.0;<br><br>require {<br> type semanage_t;<br> type var_t;<br>
type sshd_t;<br> type initrc_t;<br> class sock_file write;<br> class unix_stream_socket connectto;<br> class file { read write getattr open };<br>}<br><br>#============= semanage_t ==============<br>
allow semanage_t var_t:sock_file write;<br><br>#============= sshd_t ==============<br>allow sshd_t initrc_t:unix_stream_socket connectto;<br>allow sshd_t var_t:file open;<br>allow sshd_t var_t:file { read write getattr };<br>
allow sshd_t var_t:sock_file write;<br><br><br><br></div><div>Which as you can see, just allows sshd to access var_t labelled files -- might be considered too permssive?<br><br></div><div>But vasd itself should run ( and is 'supported') unconfined under selinux.<br>
<br>Cheers,<br></div><div>Tony<br></div>I<br><div><div><br><br></div></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Tue, Jul 23, 2013 at 3:43 PM, Vadym Chepkov <span dir="ltr"><<a href="mailto:vchepkov@gmail.com" target="_blank">vchepkov@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div class="im">On Mon, Jul 22, 2013 at 2:17 PM, Daniel J Walsh <span dir="ltr"><<a href="mailto:dwalsh@redhat.com" target="_blank">dwalsh@redhat.com</a>></span> wrote:<br>
</div><div class="gmail_extra"><div class="gmail_quote"><div class="im">
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">What kind of problems are you having with it?<br><br></blockquote>
<div><br></div></div><div>It doesn't work with SELinux in enforcing mode.</div><div> </div><div># ausearch -m avc -ts recent</div><div>----</div><div>time->Tue Jul 23 10:41:47 2013</div><div>type=SYSCALL msg=audit(1374590507.830:3207): arch=c000003e syscall=42 success=yes exit=0 a0=4 a1=7fff1e6b5530 a2=6e a3=7fff1e6b5280 items=0 ppid=1208 pid=29329 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sshd" exe="/usr/sbin/sshd" subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)</div>
<div>type=AVC msg=audit(1374590507.830:3207): avc: denied { connectto } for pid=29329 comm="sshd" path="/var/opt/quest/vas/vasd/.vasd40_ipc_sock" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket</div>
<div>----</div><div>time->Tue Jul 23 10:41:51 2013</div><div>type=SYSCALL msg=audit(1374590511.523:3217): arch=c000003e syscall=42 success=yes exit=0 a0=4 a1=7fff1e6b5530 a2=6e a3=2 items=0 ppid=1208 pid=29329 auid=40481 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=471 comm="sshd" exe="/usr/sbin/sshd" subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)</div>
<div>type=AVC msg=audit(1374590511.523:3217): avc: denied { connectto } for pid=29329 comm="sshd" path="/var/opt/quest/vas/vasd/.vasd40_ipc_sock" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket</div>
<div>----</div><div>time->Tue Jul 23 10:41:51 2013</div><div>type=SYSCALL msg=audit(1374590511.400:3209): arch=c000003e syscall=2 success=yes exit=7 a0=7f085f9b3470 a1=241 a2=1b6 a3=0 items=0 ppid=1208 pid=29329 auid=4294967295 uid=0 gid=0 euid=40481 suid=0 fsuid=40481 egid=4105 sgid=0 fsgid=4105 tty=(none) ses=4294967295 comm="sshd" exe="/usr/sbin/sshd" subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)</div>
<div>type=AVC msg=audit(1374590511.400:3209): avc: denied { write } for pid=29329 comm="sshd" name=".vas_logon_server" dev=dm-3 ino=16 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file</div>
<div><br></div><div><br></div><div><br></div></div></div></div>
<br>--<br>
selinux mailing list<br>
<a href="mailto:selinux@lists.fedoraproject.org">selinux@lists.fedoraproject.org</a><br>
<a href="https://admin.fedoraproject.org/mailman/listinfo/selinux" target="_blank">https://admin.fedoraproject.org/mailman/listinfo/selinux</a><br></blockquote></div><br></div>