On Jul 23, 2013, at 11:14 AM, Tony Scully <tonyjscully@gmail.com> wrote:

Hi Vadym,

In fact vasd just runs unconfined under selinux; the issue you have is that sshd is running in the sshd_t context, but need to access some files, the vasd cache (I think it's via PAM) in /var/opt/quest/vas.

Quest (now Dell) do provide a policy file which allows sshd to access these files, here's the text version:


module sshdqas 1.0;

require {
        type semanage_t;
        type var_t;
        type sshd_t;
        type initrc_t;
        class sock_file write;
        class unix_stream_socket connectto;
        class file { read write getattr open };
}

#============= semanage_t ==============
allow semanage_t var_t:sock_file write;

#============= sshd_t ==============
allow sshd_t initrc_t:unix_stream_socket connectto;
allow sshd_t var_t:file open;
allow sshd_t var_t:file { read write getattr };
allow sshd_t var_t:sock_file write;



Which as you can see, just allows sshd to access var_t labelled files -- might be considered too permssive?

But vasd itself should run ( and is 'supported') unconfined under selinux.



It looks like a workaround to me, not a proper policy, but at least I don’t have do disable SELinux.
I ended up with this:

module qas 1.0;

require {
        type var_auth_t;
        type sshd_t;
        type system_dbusd_t;
        type initrc_t;
        class sock_file write;
        class unix_stream_socket connectto;
        class file { read write getattr open };
}

allow sshd_t initrc_t:unix_stream_socket connectto;
allow sshd_t var_auth_t:file { open read write getattr };
allow sshd_t var_auth_t:sock_file write;

allow system_dbusd_t initrc_t:unix_stream_socket connectto;
allow system_dbusd_t var_auth_t:file { open read write getattr };
allow system_dbusd_t var_auth_t:sock_file write;

Thanks,
Vadym