<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 02/20/2014 07:41 PM, Jayson Hurst
wrote:<br>
</div>
<blockquote cite="mid:BLU172-W90D379149DB09E4F50F05D59A0@phx.gbl"
type="cite">
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 12pt;
font-family:Calibri
}
--></style>
<div dir="ltr">I am running in permissive mode, my module is in
permissive mode.<br>
<br>
I am actually running on RHEL 6.0.<br>
<br>
So in this scenario even though my daemon is authenticating the
user it is not responsible for context that the krb5cc_xxx file
gets created as?<br>
</div>
</blockquote>
<br>
What daemon? <br>
<br>
How does your local policy look?<br>
<blockquote cite="mid:BLU172-W90D379149DB09E4F50F05D59A0@phx.gbl"
type="cite">
<div dir="ltr"><br>
<div>> Date: Thu, 20 Feb 2014 12:48:53 -0500<br>
> From: <a class="moz-txt-link-abbreviated" href="mailto:dwalsh@redhat.com">dwalsh@redhat.com</a><br>
> To: <a class="moz-txt-link-abbreviated" href="mailto:swazup@hotmail.com">swazup@hotmail.com</a>; <a class="moz-txt-link-abbreviated" href="mailto:selinux@lists.fedoraproject.org">selinux@lists.fedoraproject.org</a><br>
> Subject: Re: Correct way to use booleans<br>
> <br>
> -----BEGIN PGP SIGNED MESSAGE-----<br>
> Hash: SHA1<br>
> <br>
> On 02/20/2014 11:30 AM, Jayson Hurst wrote:<br>
> > So it sounds like booleans are meant to be set by
the admin if they need<br>
> > that sort of thing on. In the case of samba if the
admin wanted to share<br>
> > out user directories they would need to turn on a
boolean that would allow<br>
> > them to do so like samba_enable_home_dirs.<br>
> > <br>
> > I see a few different files in /tmp that are
labelled as tmp_t, but the<br>
> > ones I care about are the krb5cc_X files. If I use
kinit to generate the<br>
> > krb5cc file it is labelled as user_tmp_t but if I
login through<br>
> > ssh,local_login, gdm, etc... they get created as
tmp_t. Seeing that my<br>
> > daemon is responsible for kerberos login I can only
guess that it is<br>
> > generating them incorrectly. In my SELinux module
should I have a<br>
> > transition for files created in tmp to have them
created as user_tmp_t or<br>
> > is there a better way?<br>
> > <br>
> Well are you in permissive mode? Are you using standard
Fedora packages or<br>
> something different? Login/sshd should be creating these
files as user_tmp_t.<br>
> <br>
> <br>
> >> Date: Thu, 20 Feb 2014 08:03:44 -0500 From:
<a class="moz-txt-link-abbreviated" href="mailto:dwalsh@redhat.com">dwalsh@redhat.com</a> To:<br>
> >> <a class="moz-txt-link-abbreviated" href="mailto:swazup@hotmail.com">swazup@hotmail.com</a>;
<a class="moz-txt-link-abbreviated" href="mailto:selinux@lists.fedoraproject.org">selinux@lists.fedoraproject.org</a> Subject: Re: Correct<br>
> >> way to use booleans<br>
> >> <br>
> > On 02/19/2014 08:20 PM, Jayson Hurst wrote:<br>
> >> Audit2Allow is suggesting that a boolean be
turned on.<br>
> > <br>
> >> #!!!! This avc can be allowed using the boolean
'allow_ypbind'<br>
> > <br>
> >> allow vasd_t ldap_port_t:tcp_socket name_bind;<br>
> > <br>
> >> setsebool -P allow_ypbind 1<br>
> > <br>
> >> Should this boolean be enabled via my domains
policy, or is this<br>
> >> something the system administrator should turn
on if they know they will<br>
> >> be using NIS?<br>
> > <br>
> > Only the system admin should turn this on in an NIS
environment. This is<br>
> > an incredibly permissive boolean. Allows all
processes to use any network<br>
> > port.<br>
> > <br>
> >> The same question can be asked for other things
like http and samba.<br>
> >> #!!!! This avc can be allowed using one of the
these booleans: # <br>
> >> samba_export_all_ro, samba_export_all_rw<br>
> > <br>
> >> allow smbd_t tmp_t:file getattr;<br>
> > There really should not be tmp_t files on a system.
Any idea how this file <br>
> > got created? smbd_t in permissive mode?<br>
> > <br>
> >> #!!!! This avc can be allowed using one of the
these booleans: # <br>
> >> samba_create_home_dirs, samba_export_all_rw<br>
> > <br>
> >> allow smbd_t user_home_dir_t:dir { write create
add_name };<br>
> > <br>
> >> setsebool -P samba_export_all_rw 1<br>
> > <br>
> > <br>
> > <br>
> > <br>
> > <br>
> >> -- selinux mailing list
<a class="moz-txt-link-abbreviated" href="mailto:selinux@lists.fedoraproject.org">selinux@lists.fedoraproject.org</a> <br>
> >>
<a class="moz-txt-link-freetext" href="https://admin.fedoraproject.org/mailman/listinfo/selinux">https://admin.fedoraproject.org/mailman/listinfo/selinux</a><br>
> > <br>
> > If a user is exporting the home dirs it would be
better to use <br>
> > samba_enable_home_dirs<br>
> > <br>
> > But if he is sharing the entire system then use
samba_export_all_rw<br>
> > <br>
> > <br>
> > <br>
> > <br>
> > -- selinux mailing list
<a class="moz-txt-link-abbreviated" href="mailto:selinux@lists.fedoraproject.org">selinux@lists.fedoraproject.org</a> <br>
> >
<a class="moz-txt-link-freetext" href="https://admin.fedoraproject.org/mailman/listinfo/selinux">https://admin.fedoraproject.org/mailman/listinfo/selinux</a><br>
> > <br>
> <br>
> -----BEGIN PGP SIGNATURE-----<br>
> Version: GnuPG v1<br>
> Comment: Using GnuPG with Thunderbird -
<a class="moz-txt-link-freetext" href="http://www.enigmail.net/">http://www.enigmail.net/</a><br>
> <br>
>
iEYEARECAAYFAlMGQAUACgkQrlYvE4MpobMiuwCePDvZd/9kwNGYDfsjoZHgi1F/<br>
> pHoAn05t4SFE75eS8GEDKBWuuRLG5BWf<br>
> =jZN7<br>
> -----END PGP SIGNATURE-----<br>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">--
selinux mailing list
<a class="moz-txt-link-abbreviated" href="mailto:selinux@lists.fedoraproject.org">selinux@lists.fedoraproject.org</a>
<a class="moz-txt-link-freetext" href="https://admin.fedoraproject.org/mailman/listinfo/selinux">https://admin.fedoraproject.org/mailman/listinfo/selinux</a></pre>
</blockquote>
<br>
</body>
</html>