<html>
<head>
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 12pt;
font-family:Calibri
}
--></style></head>
<body class='hmmessage'><div dir='ltr'><div>Thanks,<br><br>I am currently doing some similar to that and I didn't know if that was considered too open.<br><br>> Date: Thu, 13 Feb 2014 09:27:42 -0500<br>> From: dwalsh@redhat.com<br>> To: swazup@hotmail.com; selinux@lists.fedoraproject.org<br>> Subject: Re: How do I generically allow access to a single socket file<br>> <br>> -----BEGIN PGP SIGNED MESSAGE-----<br>> Hash: SHA1<br>> <br>> On 02/12/2014 05:51 PM, Jayson Hurst wrote:<br>> > All of the following audit messages are connected to the file:<br>> > <br>> > /var/opt/quest/vas/vasd/.vasd40_ipc_sock<br>> > <br>> > What is the preferred way to grant the appropriate access to the file when<br>> > the domain that is going to need access to it is unknown? The context type<br>> > when I am done will probably be qasd_var_auth_t, although I am not sure<br>> > that matters at this point.<br>> > <br>> > #============= hald_t ============== allow hald_t var_auth_t:sock_file<br>> > write;<br>> > <br>> > #============= httpd_t ============== allow httpd_t var_auth_t:dir search; <br>> > allow httpd_t var_auth_t:sock_file write;<br>> > <br>> > #============= policykit_t ============== allow policykit_t var_auth_t:dir<br>> > search; allow policykit_t var_auth_t:sock_file write;<br>> > <br>> > #============= postfix_pickup_t ============== allow postfix_pickup_t<br>> > var_auth_t:dir search; allow postfix_pickup_t var_auth_t:sock_file write; <br>> > allow postfix_pickup_t qasd_t:unix_stream_socket connectto;<br>> > <br>> > #============= postfix_qmgr_t ============== allow postfix_qmgr_t<br>> > var_auth_t:dir search; allow postfix_qmgr_t var_auth_t:sock_file write; <br>> > allow postfix_qmgr_t qasd_t:unix_stream_socket connectto;<br>> > <br>> > #============= system_dbusd_t ============== allow system_dbusd_t<br>> > var_auth_t:sock_file write; allow system_dbusd_t qasd_t:unix_stream_socket<br>> > connectto;<br>> > <br>> > #============= xdm_dbusd_t ============== allow xdm_dbusd_t var_auth_t:dir<br>> > search; allow xdm_dbusd_t var_auth_t:sock_file write; allow xdm_dbusd_t<br>> > qasd_t:unix_stream_socket connectto;<br>> > <br>> > #============= xdm_t ============== allow xdm_t qasd_t:unix_stream_socket<br>> > connectto;<br>> > <br>> > # audit(1392243009.026:13): #<br>> > scontext="system_u:system_r:postfix_qmgr_t:s0" <br>> > tcontext="system_u:system_r:qasd_t:s0" # class="unix_stream_socket"<br>> > perms="connectto" # comm="qmgr" exe="" path="" # message="type=AVC<br>> > msg=audit(1392243009.026:13): avc: denied { connectto } # for pid=1674<br>> > comm="qmgr" path="/var/opt/quest/vas/vasd/.vasd40_ipc_sock" #<br>> > scontext=system_u:system_r:postfix_qmgr_t:s0 #<br>> > tcontext=system_u:system_r:qasd_t:s0 tclass=unix_stream_socket"<br>> > <br>> > I am also seeing the reverse of this with fifo_files (grant myself write, <br>> > getattr access) to an unknown domain.<br>> > <br>> > allow qasd_t httpd_t:fifo_file { write getattr }; allow qasd_t<br>> > policykit_t:fifo_file { write getattr }; allow qasd_t<br>> > postfix_pickup_t:fifo_file { write getattr }; allow qasd_t<br>> > postfix_qmgr_t:fifo_file { write getattr }; allow qasd_t<br>> > xdm_dbusd_t:fifo_file { write getattr };<br>> > <br>> > audit(1392243659.181:125): # scontext="system_u:system_r:qasd_t:s0" <br>> > tcontext="unconfined_u:system_r:httpd_t:s0" # class="fifo_file"<br>> > perms="write" # comm=".qasd" exe="" path="" # message="type=AVC<br>> > msg=audit(1392243659.181:125): avc: denied { write } for # pid=1270<br>> > comm=".vasd" path="pipe:[22222]" dev=pipefs ino=22222 #<br>> > scontext=system_u:system_r:qasd_t:s0 #<br>> > tcontext=unconfined_u:system_r:httpd_t:s0 tclass=fifo_file<br>> <br>> On all SELinux systems you can allow all domains to do this by allowing 'domain".<br>> <br>> So you want to create an interface qasd_stream_connect, and then call it with<br>> domain<br>> <br>> qasd_stream_connect(domain)<br>> <br>> On newer systems from Fedora/RHEL7, you could use the attribute<br>> nsswitch_domain which is all domains that call getpw*<br>> <br>> <br>> -----BEGIN PGP SIGNATURE-----<br>> Version: GnuPG v1<br>> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/<br>> <br>> iEYEARECAAYFAlL81l4ACgkQrlYvE4MpobOmWgCfVL18uFl6fsJc6XO1pc+3JGaj<br>> 5coAnjeNwapBdJxh3UtNh0/mebQAWCYx<br>> =SXXd<br>> -----END PGP SIGNATURE-----<br></div>                                            </div></body>
</html>