-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 07/23/2013 11:14 AM, Tony Scully wrote:
Hi Vadym,
In fact vasd just runs unconfined under selinux; the issue you have is that sshd is running in the sshd_t context, but need to access some files, the vasd cache (I think it's via PAM) in /var/opt/quest/vas.
Quest (now Dell) do provide a policy file which allows sshd to access these files, here's the text version:
module sshdqas 1.0;
require { type semanage_t; type var_t; type sshd_t; type initrc_t; class sock_file write; class unix_stream_socket connectto; class file { read write getattr open }; }
#============= semanage_t ============== allow semanage_t var_t:sock_file write;
#============= sshd_t ============== allow sshd_t initrc_t:unix_stream_socket connectto; allow sshd_t var_t:file open; allow sshd_t var_t:file { read write getattr }; allow sshd_t var_t:sock_file write;
Well in Fedora these should be labeled var_auth_t.
restorecon -R -v /var/opt