Audit2Allow is suggesting that a boolean be turned on.
#!!!! This avc can be allowed using the boolean 'allow_ypbind'
allow vasd_t ldap_port_t:tcp_socket name_bind;
setsebool -P allow_ypbind 1
Should this boolean be enabled via my domains policy, or is this something the system administrator should turn on if they know they will be using NIS?
The same question can be asked for other things like http and samba. #!!!! This avc can be allowed using one of the these booleans: # samba_export_all_ro, samba_export_all_rw
allow smbd_t tmp_t:file getattr; #!!!! This avc can be allowed using one of the these booleans: # samba_create_home_dirs, samba_export_all_rw
allow smbd_t user_home_dir_t:dir { write create add_name };
setsebool -P samba_export_all_rw 1
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 02/19/2014 08:20 PM, Jayson Hurst wrote:
Audit2Allow is suggesting that a boolean be turned on.
#!!!! This avc can be allowed using the boolean 'allow_ypbind'
allow vasd_t ldap_port_t:tcp_socket name_bind;
setsebool -P allow_ypbind 1
Should this boolean be enabled via my domains policy, or is this something the system administrator should turn on if they know they will be using NIS?
Only the system admin should turn this on in an NIS environment. This is an incredibly permissive boolean. Allows all processes to use any network port.
The same question can be asked for other things like http and samba. #!!!! This avc can be allowed using one of the these booleans: # samba_export_all_ro, samba_export_all_rw
allow smbd_t tmp_t:file getattr;
There really should not be tmp_t files on a system. Any idea how this file got created? smbd_t in permissive mode?
#!!!! This avc can be allowed using one of the these booleans: # samba_create_home_dirs, samba_export_all_rw
allow smbd_t user_home_dir_t:dir { write create add_name };
setsebool -P samba_export_all_rw 1
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
If a user is exporting the home dirs it would be better to use samba_enable_home_dirs
But if he is sharing the entire system then use samba_export_all_rw
So it sounds like booleans are meant to be set by the admin if they need that sort of thing on. In the case of samba if the admin wanted to share out user directories they would need to turn on a boolean that would allow them to do so like samba_enable_home_dirs.
I see a few different files in /tmp that are labelled as tmp_t, but the ones I care about are the krb5cc_X files. If I use kinit to generate the krb5cc file it is labelled as user_tmp_t but if I login through ssh,local_login, gdm, etc... they get created as tmp_t. Seeing that my daemon is responsible for kerberos login I can only guess that it is generating them incorrectly. In my SELinux module should I have a transition for files created in tmp to have them created as user_tmp_t or is there a better way?
Date: Thu, 20 Feb 2014 08:03:44 -0500 From: dwalsh@redhat.com To: swazup@hotmail.com; selinux@lists.fedoraproject.org Subject: Re: Correct way to use booleans
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 02/19/2014 08:20 PM, Jayson Hurst wrote:
Audit2Allow is suggesting that a boolean be turned on.
#!!!! This avc can be allowed using the boolean 'allow_ypbind'
allow vasd_t ldap_port_t:tcp_socket name_bind;
setsebool -P allow_ypbind 1
Should this boolean be enabled via my domains policy, or is this something the system administrator should turn on if they know they will be using NIS?
Only the system admin should turn this on in an NIS environment. This is an incredibly permissive boolean. Allows all processes to use any network port.
The same question can be asked for other things like http and samba. #!!!! This avc can be allowed using one of the these booleans: # samba_export_all_ro, samba_export_all_rw
allow smbd_t tmp_t:file getattr;
There really should not be tmp_t files on a system. Any idea how this file got created? smbd_t in permissive mode?
#!!!! This avc can be allowed using one of the these booleans: # samba_create_home_dirs, samba_export_all_rw
allow smbd_t user_home_dir_t:dir { write create add_name };
setsebool -P samba_export_all_rw 1
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
If a user is exporting the home dirs it would be better to use samba_enable_home_dirs
But if he is sharing the entire system then use samba_export_all_rw
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlMF/TAACgkQrlYvE4MpobMN+gCg08PlPOaB43Nz9roPpjJ2y4vP bDwAnRm8tguT3laMqY1sz3T0eaKUzcnI =Wvgh -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 02/20/2014 11:30 AM, Jayson Hurst wrote:
So it sounds like booleans are meant to be set by the admin if they need that sort of thing on. In the case of samba if the admin wanted to share out user directories they would need to turn on a boolean that would allow them to do so like samba_enable_home_dirs.
I see a few different files in /tmp that are labelled as tmp_t, but the ones I care about are the krb5cc_X files. If I use kinit to generate the krb5cc file it is labelled as user_tmp_t but if I login through ssh,local_login, gdm, etc... they get created as tmp_t. Seeing that my daemon is responsible for kerberos login I can only guess that it is generating them incorrectly. In my SELinux module should I have a transition for files created in tmp to have them created as user_tmp_t or is there a better way?
Well are you in permissive mode? Are you using standard Fedora packages or something different? Login/sshd should be creating these files as user_tmp_t.
Date: Thu, 20 Feb 2014 08:03:44 -0500 From: dwalsh@redhat.com To: swazup@hotmail.com; selinux@lists.fedoraproject.org Subject: Re: Correct way to use booleans
On 02/19/2014 08:20 PM, Jayson Hurst wrote:
Audit2Allow is suggesting that a boolean be turned on.
#!!!! This avc can be allowed using the boolean 'allow_ypbind'
allow vasd_t ldap_port_t:tcp_socket name_bind;
setsebool -P allow_ypbind 1
Should this boolean be enabled via my domains policy, or is this something the system administrator should turn on if they know they will be using NIS?
Only the system admin should turn this on in an NIS environment. This is an incredibly permissive boolean. Allows all processes to use any network port.
The same question can be asked for other things like http and samba. #!!!! This avc can be allowed using one of the these booleans: # samba_export_all_ro, samba_export_all_rw
allow smbd_t tmp_t:file getattr;
There really should not be tmp_t files on a system. Any idea how this file got created? smbd_t in permissive mode?
#!!!! This avc can be allowed using one of the these booleans: # samba_create_home_dirs, samba_export_all_rw
allow smbd_t user_home_dir_t:dir { write create add_name };
setsebool -P samba_export_all_rw 1
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
If a user is exporting the home dirs it would be better to use samba_enable_home_dirs
But if he is sharing the entire system then use samba_export_all_rw
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
I am running in permissive mode, my module is in permissive mode.
I am actually running on RHEL 6.0.
So in this scenario even though my daemon is authenticating the user it is not responsible for context that the krb5cc_xxx file gets created as?
Date: Thu, 20 Feb 2014 12:48:53 -0500 From: dwalsh@redhat.com To: swazup@hotmail.com; selinux@lists.fedoraproject.org Subject: Re: Correct way to use booleans
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 02/20/2014 11:30 AM, Jayson Hurst wrote:
So it sounds like booleans are meant to be set by the admin if they need that sort of thing on. In the case of samba if the admin wanted to share out user directories they would need to turn on a boolean that would allow them to do so like samba_enable_home_dirs.
I see a few different files in /tmp that are labelled as tmp_t, but the ones I care about are the krb5cc_X files. If I use kinit to generate the krb5cc file it is labelled as user_tmp_t but if I login through ssh,local_login, gdm, etc... they get created as tmp_t. Seeing that my daemon is responsible for kerberos login I can only guess that it is generating them incorrectly. In my SELinux module should I have a transition for files created in tmp to have them created as user_tmp_t or is there a better way?
Well are you in permissive mode? Are you using standard Fedora packages or something different? Login/sshd should be creating these files as user_tmp_t.
Date: Thu, 20 Feb 2014 08:03:44 -0500 From: dwalsh@redhat.com To: swazup@hotmail.com; selinux@lists.fedoraproject.org Subject: Re: Correct way to use booleans
On 02/19/2014 08:20 PM, Jayson Hurst wrote:
Audit2Allow is suggesting that a boolean be turned on.
#!!!! This avc can be allowed using the boolean 'allow_ypbind'
allow vasd_t ldap_port_t:tcp_socket name_bind;
setsebool -P allow_ypbind 1
Should this boolean be enabled via my domains policy, or is this something the system administrator should turn on if they know they will be using NIS?
Only the system admin should turn this on in an NIS environment. This is an incredibly permissive boolean. Allows all processes to use any network port.
The same question can be asked for other things like http and samba. #!!!! This avc can be allowed using one of the these booleans: # samba_export_all_ro, samba_export_all_rw
allow smbd_t tmp_t:file getattr;
There really should not be tmp_t files on a system. Any idea how this file got created? smbd_t in permissive mode?
#!!!! This avc can be allowed using one of the these booleans: # samba_create_home_dirs, samba_export_all_rw
allow smbd_t user_home_dir_t:dir { write create add_name };
setsebool -P samba_export_all_rw 1
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
If a user is exporting the home dirs it would be better to use samba_enable_home_dirs
But if he is sharing the entire system then use samba_export_all_rw
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlMGQAUACgkQrlYvE4MpobMiuwCePDvZd/9kwNGYDfsjoZHgi1F/ pHoAn05t4SFE75eS8GEDKBWuuRLG5BWf =jZN7 -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 02/20/2014 01:41 PM, Jayson Hurst wrote:
I am running in permissive mode, my module is in permissive mode.
I am actually running on RHEL 6.0.
So in this scenario even though my daemon is authenticating the user it is not responsible for context that the krb5cc_xxx file gets created as?
The login daemons should be creating this file with the correct context. user_tmp_t.
I see the same thing on RHEL 6.5.
So should I assume this is a bug in SElinux/OS? Even so is there a way that I can work around it? Would there be anything wrong with transitioning files I create in tmp from tmp_t to user_tmp_t?
Date: Thu, 20 Feb 2014 14:21:55 -0500 From: dwalsh@redhat.com To: swazup@hotmail.com; selinux@lists.fedoraproject.org Subject: Re: Correct way to use booleans
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 02/20/2014 01:41 PM, Jayson Hurst wrote:
I am running in permissive mode, my module is in permissive mode.
I am actually running on RHEL 6.0.
So in this scenario even though my daemon is authenticating the user it is not responsible for context that the krb5cc_xxx file gets created as?
The login daemons should be creating this file with the correct context. user_tmp_t. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlMGVdMACgkQrlYvE4MpobPm+QCfX1s69csbRU8xfg8m796N+9Si cZYAmgP8bmo4vV+ug10x8tlxKSr6rTqI =2zvU -----END PGP SIGNATURE-----
I have something like the following in my domains interface file:
gen_require(` type httpd_t; ... ')
read_files_pattern( httpd_t, var_t, var_auth_t)
When I try to compile the module and install it with semodule
I see the following error:
global requirements were not met: type/attribute httpd_t (No such file or directory). libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory).
I also see the same type of error when I try to use the nis interface call:
nis_list_var_yp
global requirements were not met: type/attribute var_yp_t (No such file or directory). libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory).
Any suggestions as to what I am missing?
On 02/20/2014 07:41 PM, Jayson Hurst wrote:
I am running in permissive mode, my module is in permissive mode.
I am actually running on RHEL 6.0.
So in this scenario even though my daemon is authenticating the user it is not responsible for context that the krb5cc_xxx file gets created as?
What daemon?
How does your local policy look?
Date: Thu, 20 Feb 2014 12:48:53 -0500 From: dwalsh@redhat.com To: swazup@hotmail.com; selinux@lists.fedoraproject.org Subject: Re: Correct way to use booleans
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 02/20/2014 11:30 AM, Jayson Hurst wrote:
So it sounds like booleans are meant to be set by the admin if
they need
that sort of thing on. In the case of samba if the admin wanted to
share
out user directories they would need to turn on a boolean that
would allow
them to do so like samba_enable_home_dirs.
I see a few different files in /tmp that are labelled as tmp_t,
but the
ones I care about are the krb5cc_X files. If I use kinit to
generate the
krb5cc file it is labelled as user_tmp_t but if I login through ssh,local_login, gdm, etc... they get created as tmp_t. Seeing that my daemon is responsible for kerberos login I can only guess that it is generating them incorrectly. In my SELinux module should I have a transition for files created in tmp to have them created as
user_tmp_t or
is there a better way?
Well are you in permissive mode? Are you using standard Fedora
packages or
something different? Login/sshd should be creating these files as
user_tmp_t.
Date: Thu, 20 Feb 2014 08:03:44 -0500 From: dwalsh@redhat.com To: swazup@hotmail.com; selinux@lists.fedoraproject.org Subject: Re:
Correct
way to use booleans
On 02/19/2014 08:20 PM, Jayson Hurst wrote:
Audit2Allow is suggesting that a boolean be turned on.
#!!!! This avc can be allowed using the boolean 'allow_ypbind'
allow vasd_t ldap_port_t:tcp_socket name_bind;
setsebool -P allow_ypbind 1
Should this boolean be enabled via my domains policy, or is this something the system administrator should turn on if they know
they will
be using NIS?
Only the system admin should turn this on in an NIS environment.
This is
an incredibly permissive boolean. Allows all processes to use any
network
port.
The same question can be asked for other things like http and samba. #!!!! This avc can be allowed using one of the these booleans: # samba_export_all_ro, samba_export_all_rw
allow smbd_t tmp_t:file getattr;
There really should not be tmp_t files on a system. Any idea how
this file
got created? smbd_t in permissive mode?
#!!!! This avc can be allowed using one of the these booleans: # samba_create_home_dirs, samba_export_all_rw
allow smbd_t user_home_dir_t:dir { write create add_name };
setsebool -P samba_export_all_rw 1
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
If a user is exporting the home dirs it would be better to use samba_enable_home_dirs
But if he is sharing the entire system then use samba_export_all_rw
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlMGQAUACgkQrlYvE4MpobMiuwCePDvZd/9kwNGYDfsjoZHgi1F/ pHoAn05t4SFE75eS8GEDKBWuuRLG5BWf =jZN7 -----END PGP SIGNATURE-----
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
selinux@lists.fedoraproject.org
-
Daniel J Walsh -
Jayson Hurst -
Miroslav Grepl