<html>
<head>
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 12pt;
font-family:Calibri
}
--></style></head>
<body class='hmmessage'><div dir='ltr'><div>Thanks,<br><br>I am currently doing some similar to that and I didn't know if that was considered too open.<br><br>&gt; Date: Thu, 13 Feb 2014 09:27:42 -0500<br>&gt; From: dwalsh@redhat.com<br>&gt; To: swazup@hotmail.com; selinux@lists.fedoraproject.org<br>&gt; Subject: Re: How do I generically allow access to a single socket file<br>&gt; <br>&gt; -----BEGIN PGP SIGNED MESSAGE-----<br>&gt; Hash: SHA1<br>&gt; <br>&gt; On 02/12/2014 05:51 PM, Jayson Hurst wrote:<br>&gt; &gt; All of the following audit messages are connected to the file:<br>&gt; &gt; <br>&gt; &gt; /var/opt/quest/vas/vasd/.vasd40_ipc_sock<br>&gt; &gt; <br>&gt; &gt; What is the preferred way to grant the appropriate access to the file when<br>&gt; &gt; the domain that is going to need access to it is unknown? The context type<br>&gt; &gt; when I am done will probably be qasd_var_auth_t, although I am not sure<br>&gt; &gt; that matters at this point.<br>&gt; &gt; <br>&gt; &gt; #============= hald_t ============== allow hald_t var_auth_t:sock_file<br>&gt; &gt; write;<br>&gt; &gt; <br>&gt; &gt; #============= httpd_t ============== allow httpd_t var_auth_t:dir search; <br>&gt; &gt; allow httpd_t var_auth_t:sock_file write;<br>&gt; &gt; <br>&gt; &gt; #============= policykit_t ============== allow policykit_t var_auth_t:dir<br>&gt; &gt; search; allow policykit_t var_auth_t:sock_file write;<br>&gt; &gt; <br>&gt; &gt; #============= postfix_pickup_t ============== allow postfix_pickup_t<br>&gt; &gt; var_auth_t:dir search; allow postfix_pickup_t var_auth_t:sock_file write; <br>&gt; &gt; allow postfix_pickup_t qasd_t:unix_stream_socket connectto;<br>&gt; &gt; <br>&gt; &gt; #============= postfix_qmgr_t ============== allow postfix_qmgr_t<br>&gt; &gt; var_auth_t:dir search; allow postfix_qmgr_t var_auth_t:sock_file write; <br>&gt; &gt; allow postfix_qmgr_t qasd_t:unix_stream_socket connectto;<br>&gt; &gt; <br>&gt; &gt; #============= system_dbusd_t ============== allow system_dbusd_t<br>&gt; &gt; var_auth_t:sock_file write; allow system_dbusd_t qasd_t:unix_stream_socket<br>&gt; &gt; connectto;<br>&gt; &gt; <br>&gt; &gt; #============= xdm_dbusd_t ============== allow xdm_dbusd_t var_auth_t:dir<br>&gt; &gt; search; allow xdm_dbusd_t var_auth_t:sock_file write; allow xdm_dbusd_t<br>&gt; &gt; qasd_t:unix_stream_socket connectto;<br>&gt; &gt; <br>&gt; &gt; #============= xdm_t ============== allow xdm_t qasd_t:unix_stream_socket<br>&gt; &gt; connectto;<br>&gt; &gt; <br>&gt; &gt; # audit(1392243009.026:13): #<br>&gt; &gt; scontext="system_u:system_r:postfix_qmgr_t:s0" <br>&gt; &gt; tcontext="system_u:system_r:qasd_t:s0" #  class="unix_stream_socket"<br>&gt; &gt; perms="connectto" #  comm="qmgr" exe="" path="" #  message="type=AVC<br>&gt; &gt; msg=audit(1392243009.026:13): avc:  denied  { connectto } #   for  pid=1674<br>&gt; &gt; comm="qmgr" path="/var/opt/quest/vas/vasd/.vasd40_ipc_sock" #<br>&gt; &gt; scontext=system_u:system_r:postfix_qmgr_t:s0 #<br>&gt; &gt; tcontext=system_u:system_r:qasd_t:s0 tclass=unix_stream_socket"<br>&gt; &gt; <br>&gt; &gt; I am also seeing the reverse of this with fifo_files (grant myself write, <br>&gt; &gt; getattr access) to an unknown domain.<br>&gt; &gt; <br>&gt; &gt; allow qasd_t httpd_t:fifo_file { write getattr }; allow qasd_t<br>&gt; &gt; policykit_t:fifo_file { write getattr }; allow qasd_t<br>&gt; &gt; postfix_pickup_t:fifo_file { write getattr }; allow qasd_t<br>&gt; &gt; postfix_qmgr_t:fifo_file { write getattr }; allow qasd_t<br>&gt; &gt; xdm_dbusd_t:fifo_file { write getattr };<br>&gt; &gt; <br>&gt; &gt; audit(1392243659.181:125): #  scontext="system_u:system_r:qasd_t:s0" <br>&gt; &gt; tcontext="unconfined_u:system_r:httpd_t:s0" #  class="fifo_file"<br>&gt; &gt; perms="write" #  comm=".qasd" exe="" path="" #  message="type=AVC<br>&gt; &gt; msg=audit(1392243659.181:125): avc:  denied  { write } for #   pid=1270<br>&gt; &gt; comm=".vasd" path="pipe:[22222]" dev=pipefs ino=22222 #<br>&gt; &gt; scontext=system_u:system_r:qasd_t:s0 #<br>&gt; &gt; tcontext=unconfined_u:system_r:httpd_t:s0 tclass=fifo_file<br>&gt; <br>&gt; On all SELinux systems you can allow all domains to do this by allowing 'domain".<br>&gt; <br>&gt; So you want to create an interface qasd_stream_connect, and then call it with<br>&gt; domain<br>&gt; <br>&gt; qasd_stream_connect(domain)<br>&gt; <br>&gt; On newer systems from Fedora/RHEL7, you could use the attribute<br>&gt; nsswitch_domain which is all domains that call getpw*<br>&gt; <br>&gt; <br>&gt; -----BEGIN PGP SIGNATURE-----<br>&gt; Version: GnuPG v1<br>&gt; Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/<br>&gt; <br>&gt; iEYEARECAAYFAlL81l4ACgkQrlYvE4MpobOmWgCfVL18uFl6fsJc6XO1pc+3JGaj<br>&gt; 5coAnjeNwapBdJxh3UtNh0/mebQAWCYx<br>&gt; =SXXd<br>&gt; -----END PGP SIGNATURE-----<br></div>                                               </div></body>
</html>