On Wed, 2010-03-03 at 18:10 -0500, Scott Salley wrote:
I’d like to thank the mailing list inhabitants for all the help
you’ve
given me. So, Thanks!
I modified the targeted policy for Fedora 12 and got Likewise Open to
install, join Active Directory, and allow users to authenticate
without any problems! The problem is, I’m not quite sure what some of
the rules do and whether they are necessary.
For example, I patched the authentication daemon (lsassd) to properly
set up the user’s home directory and I’m using matchpathcon(3) and
setfilecon(3). At first, matchpathcon would fail but I could find *no*
messages indicating a problem.
Use semodule -DB, as described in:
http://docs.fedoraproject.org/selinux-user-guide/f12/en-US/sect-Security-...
And later revert with semodule -B.
I finally copied a block of rules from another policy and that
worked.
The rules I copied are:
selinux_get_fs_mount(lsassd_t)
selinux_validate_context(lsassd_t)
selinux_compute_access_vector(lsassd_t)
selinux_compute_create_context(lsassd_t)
selinux_compute_relabel_context(lsassd_t)
selinux_compute_user_contexts(lsassd_t)
I don't think you need any of the selinux_compute_* interfaces.
Now I could try things one by one and see what works and what
doesn’t,
but I have some other rule blocks where I have the same type of
problem and then a combinatorial explosion gets involved. I have also
tried looking things up online, but pages like this
(
http://www.softeh.ro/doc/selinux-policy-2.2.23/html/kernel_selinux.html) did not really
help me for many of the rules.
What have I missed? Is there another level of logging I could turn on
somewhere?
Yes, semodule -DB.
--
Stephen Smalley
National Security Agency