<html>
<head>
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 12pt;
font-family:Calibri
}
--></style></head>
<body class='hmmessage'><div dir='ltr'>All of the following audit messages are connected to the file:<br><br>/var/opt/quest/vas/vasd/.vasd40_ipc_sock<br><br>What is the preferred way to grant the appropriate access to the file when the domain that is going to need access to it is unknown? The context type when I am done will probably be qasd_var_auth_t, although I am not sure that matters at this point.<br><br>#============= hald_t ==============<br>allow hald_t var_auth_t:sock_file write;<br><br>#============= httpd_t ==============<br>allow httpd_t var_auth_t:dir search;<br>allow httpd_t var_auth_t:sock_file write;<br><br>#============= policykit_t ==============<br>allow policykit_t var_auth_t:dir search;<br>allow policykit_t var_auth_t:sock_file write;<br><br>#============= postfix_pickup_t ==============<br>allow postfix_pickup_t var_auth_t:dir search;<br>allow postfix_pickup_t var_auth_t:sock_file write;<br>allow postfix_pickup_t qasd_t:unix_stream_socket connectto;<br><br>#============= postfix_qmgr_t ==============<br>allow postfix_qmgr_t var_auth_t:dir search;<br>allow postfix_qmgr_t var_auth_t:sock_file write;<br>allow postfix_qmgr_t qasd_t:unix_stream_socket connectto;<br><br>#============= system_dbusd_t ==============<br>allow system_dbusd_t var_auth_t:sock_file write;<br>allow system_dbusd_t qasd_t:unix_stream_socket connectto;<br><br>#============= xdm_dbusd_t ==============<br>allow xdm_dbusd_t var_auth_t:dir search;<br>allow xdm_dbusd_t var_auth_t:sock_file write;<br>allow xdm_dbusd_t qasd_t:unix_stream_socket connectto;<br><br>#============= xdm_t ==============<br>allow xdm_t qasd_t:unix_stream_socket connectto;<br><br># audit(1392243009.026:13):<br># scontext="system_u:system_r:postfix_qmgr_t:s0" tcontext="system_u:system_r:qasd_t:s0"<br># class="unix_stream_socket" perms="connectto"<br># comm="qmgr" exe="" path=""<br># message="type=AVC msg=audit(1392243009.026:13): avc: denied { connectto }<br># for pid=1674 comm="qmgr" path="/var/opt/quest/vas/vasd/.vasd40_ipc_sock"<br># scontext=system_u:system_r:postfix_qmgr_t:s0<br># tcontext=system_u:system_r:qasd_t:s0 tclass=unix_stream_socket"<br><br>I am also seeing the reverse of this with fifo_files (grant myself write, getattr access) to an unknown domain.<br><br>allow qasd_t httpd_t:fifo_file { write getattr };<br>allow qasd_t policykit_t:fifo_file { write getattr };<br>allow qasd_t postfix_pickup_t:fifo_file { write getattr };<br>allow qasd_t postfix_qmgr_t:fifo_file { write getattr };<br>allow qasd_t xdm_dbusd_t:fifo_file { write getattr };<br><br>audit(1392243659.181:125):<br># scontext="system_u:system_r:qasd_t:s0" tcontext="unconfined_u:system_r:httpd_t:s0"<br># class="fifo_file" perms="write"<br># comm=".qasd" exe="" path=""<br># message="type=AVC msg=audit(1392243659.181:125): avc: denied { write } for<br># pid=1270 comm=".vasd" path="pipe:[22222]" dev=pipefs ino=22222<br># scontext=system_u:system_r:qasd_t:s0<br># tcontext=unconfined_u:system_r:httpd_t:s0 tclass=fifo_file<br> </div></body>
</html>