On Jul 23, 2013, at 11:14 AM, Tony Scully tonyjscully@gmail.com wrote:
Hi Vadym,
In fact vasd just runs unconfined under selinux; the issue you have is that sshd is running in the sshd_t context, but need to access some files, the vasd cache (I think it's via PAM) in /var/opt/quest/vas.
Quest (now Dell) do provide a policy file which allows sshd to access these files, here's the text version:
module sshdqas 1.0;
require { type semanage_t; type var_t; type sshd_t; type initrc_t; class sock_file write; class unix_stream_socket connectto; class file { read write getattr open }; }
#============= semanage_t ============== allow semanage_t var_t:sock_file write;
#============= sshd_t ============== allow sshd_t initrc_t:unix_stream_socket connectto; allow sshd_t var_t:file open; allow sshd_t var_t:file { read write getattr }; allow sshd_t var_t:sock_file write;
Which as you can see, just allows sshd to access var_t labelled files -- might be considered too permssive?
But vasd itself should run ( and is 'supported') unconfined under selinux.
It looks like a workaround to me, not a proper policy, but at least I don’t have do disable SELinux. I ended up with this:
module qas 1.0;
require { type var_auth_t; type sshd_t; type system_dbusd_t; type initrc_t; class sock_file write; class unix_stream_socket connectto; class file { read write getattr open }; }
allow sshd_t initrc_t:unix_stream_socket connectto; allow sshd_t var_auth_t:file { open read write getattr }; allow sshd_t var_auth_t:sock_file write;
allow system_dbusd_t initrc_t:unix_stream_socket connectto; allow system_dbusd_t var_auth_t:file { open read write getattr }; allow system_dbusd_t var_auth_t:sock_file write;
Thanks, Vadym