Am 22.02.2014 um 16:14 schrieb selinux-request(a)lists.fedoraproject.org:
> Send selinux mailing list submissions to
> selinux(a)lists.fedoraproject.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>
https://admin.fedoraproject.org/mailman/listinfo/selinux
> or, via email, send a message with subject or body 'help' to
> selinux-request(a)lists.fedoraproject.org
>
> You can reach the person managing the list at
> selinux-owner(a)lists.fedoraproject.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of selinux digest..."
>
>
> Today's Topics:
>
> 1. Re: selinux Digest, Vol 120, Issue 14 (Lucrecia Trippel)
> 2. Re: selinux Digest, Vol 120, Issue 15 (Lucrecia Trippel)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Sat, 22 Feb 2014 16:13:48 +0100
> From: Lucrecia Trippel <antracit2009(a)gmail.com>
> To: selinux(a)lists.fedoraproject.org
> Subject: Re: selinux Digest, Vol 120, Issue 14
> Message-ID: <31477F4C-C6DF-4598-AB74-8C2490985E74(a)gmail.com>
> Content-Type: text/plain; charset=windows-1252
>
>
> Am 20.02.2014 um 23:23 schrieb selinux-request(a)lists.fedoraproject.org:
>
>> Send selinux mailing list submissions to
>> selinux(a)lists.fedoraproject.org
>>
>> To subscribe or unsubscribe via the World Wide Web, visit
>>
https://admin.fedoraproject.org/mailman/listinfo/selinux
>> or, via email, send a message with subject or body 'help' to
>> selinux-request(a)lists.fedoraproject.org
>>
>> You can reach the person managing the list at
>> selinux-owner(a)lists.fedoraproject.org
>>
>> When replying, please edit your Subject line so it is more specific
>> than "Re: Contents of selinux digest..."
>>
>>
>> Today's Topics:
>>
>> 1. Re: Correct way to use booleans (Daniel J Walsh)
>> 2. RE: Correct way to use booleans (Jayson Hurst)
>> 3. Re: Correct way to use booleans (Daniel J Walsh)
>> 4. RE: Correct way to use booleans (Jayson Hurst)
>> 5. Re: Correct way to use booleans (Daniel J Walsh)
>> 6. Re: semanage error when upgrading to RHEL 6.5 (Daniel J Walsh)
>> 7. Re: semanage error when upgrading to RHEL 6.5 (Andy Ruch)
>> 8. Re: semanage error when upgrading to RHEL 6.5 (Daniel J Walsh)
>> 9. Re: semanage error when upgrading to RHEL 6.5 (Andy Ruch)
>> 10. Re: semanage error when upgrading to RHEL 6.5 (Daniel J Walsh)
>>
>>
>> ----------------------------------------------------------------------
>>
>> Message: 1
>> Date: Thu, 20 Feb 2014 08:03:44 -0500
>> From: Daniel J Walsh <dwalsh(a)redhat.com>
>> To: Jayson Hurst <swazup(a)hotmail.com>,
>> "selinux(a)lists.fedoraproject.org"
<selinux(a)lists.fedoraproject.org>
>> Subject: Re: Correct way to use booleans
>> Message-ID: <5305FD30.1050504(a)redhat.com>
>> Content-Type: text/plain; charset=UTF-8
>>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> On 02/19/2014 08:20 PM, Jayson Hurst wrote:
>>> Audit2Allow is suggesting that a boolean be turned on.
>>>
>>> #!!!! This avc can be allowed using the boolean 'allow_ypbind'
>>>
>>> allow vasd_t ldap_port_t:tcp_socket name_bind;
>>>
>>> setsebool -P allow_ypbind 1
>>>
>>> Should this boolean be enabled via my domains policy, or is this something
>>> the system administrator should turn on if they know they will be using
>>> NIS?
>>>
>> Only the system admin should turn this on in an NIS environment. This is an
>> incredibly permissive boolean. Allows all processes to use any network port.
>>
>>> The same question can be asked for other things like http and samba. #!!!!
>>> This avc can be allowed using one of the these booleans: #
>>> samba_export_all_ro, samba_export_all_rw
>>>
>>> allow smbd_t tmp_t:file getattr;
>> There really should not be tmp_t files on a system. Any idea how this file
>> got created? smbd_t in permissive mode?
>>
>>> #!!!! This avc can be allowed using one of the these booleans: #
>>> samba_create_home_dirs, samba_export_all_rw
>>>
>>> allow smbd_t user_home_dir_t:dir { write create add_name };
>>>
>>> setsebool -P samba_export_all_rw 1
>>>
>>>
>>>
>>>
>>>
>>> -- selinux mailing list selinux(a)lists.fedoraproject.org
>>>
https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>
>> If a user is exporting the home dirs it would be better to use
>> samba_enable_home_dirs
>>
>> But if he is sharing the entire system then use samba_export_all_rw
>>
>>
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1
>> Comment: Using GnuPG with Thunderbird -
http://www.enigmail.net/
>>
>> iEYEARECAAYFAlMF/TAACgkQrlYvE4MpobMN+gCg08PlPOaB43Nz9roPpjJ2y4vP
>> bDwAnRm8tguT3laMqY1sz3T0eaKUzcnI
>> =Wvgh
>> -----END PGP SIGNATURE-----
>>
>>
>> ------------------------------
>>
>> Message: 2
>> Date: Thu, 20 Feb 2014 09:30:40 -0700
>> From: Jayson Hurst <swazup(a)hotmail.com>
>> To: Daniel J Walsh <dwalsh(a)redhat.com>,
>>
"selinux(a)lists.fedoraproject.org" <selinux(a)lists.fedoraproject.org>
>> Subject: RE: Correct way to use booleans
>> Message-ID: <BLU172-W115B3FEB4027CC4152DD06D59A0(a)phx.gbl>
>> Content-Type: text/plain; charset="iso-8859-1"
>>
>> So it sounds like booleans are meant to be set by the admin if they need that
sort of thing on. In the case of samba if the admin wanted to share out user directories
they would need to turn on a boolean that would allow them to do so like
samba_enable_home_dirs.
>>
>> I see a few different files in /tmp that are labelled as tmp_t, but the ones I
care about are the krb5cc_X files. If I use kinit to generate the krb5cc file it is
labelled as user_tmp_t but if I login through ssh,local_login, gdm, etc... they get
created as tmp_t. Seeing that my daemon is responsible for kerberos login I can only
guess that it is generating them incorrectly. In my SELinux module should I have a
transition for files created in tmp to have them created as user_tmp_t or is there a
better way?
>>
>>> Date: Thu, 20 Feb 2014 08:03:44 -0500
>>> From: dwalsh(a)redhat.com
>>> To: swazup(a)hotmail.com; selinux(a)lists.fedoraproject.org
>>> Subject: Re: Correct way to use booleans
>>>
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>> On 02/19/2014 08:20 PM, Jayson Hurst wrote:
>>>> Audit2Allow is suggesting that a boolean be turned on.
>>>>
>>>> #!!!! This avc can be allowed using the boolean 'allow_ypbind'
>>>>
>>>> allow vasd_t ldap_port_t:tcp_socket name_bind;
>>>>
>>>> setsebool -P allow_ypbind 1
>>>>
>>>> Should this boolean be enabled via my domains policy, or is this
something
>>>> the system administrator should turn on if they know they will be using
>>>> NIS?
>>>>
>>> Only the system admin should turn this on in an NIS environment. This is an
>>> incredibly permissive boolean. Allows all processes to use any network
port.
>>>
>>>> The same question can be asked for other things like http and samba.
#!!!!
>>>> This avc can be allowed using one of the these booleans: #
>>>> samba_export_all_ro, samba_export_all_rw
>>>>
>>>> allow smbd_t tmp_t:file getattr;
>>> There really should not be tmp_t files on a system. Any idea how this file
>>> got created? smbd_t in permissive mode?
>>>
>>>> #!!!! This avc can be allowed using one of the these booleans: #
>>>> samba_create_home_dirs, samba_export_all_rw
>>>>
>>>> allow smbd_t user_home_dir_t:dir { write create add_name };
>>>>
>>>> setsebool -P samba_export_all_rw 1
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> -- selinux mailing list selinux(a)lists.fedoraproject.org
>>>>
https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>>
>>> If a user is exporting the home dirs it would be better to use
>>> samba_enable_home_dirs
>>>
>>> But if he is sharing the entire system then use samba_export_all_rw
>>>
>>>
>>> -----BEGIN PGP SIGNATURE-----
>>> Version: GnuPG v1
>>> Comment: Using GnuPG with Thunderbird -
http://www.enigmail.net/
>>>
>>> iEYEARECAAYFAlMF/TAACgkQrlYvE4MpobMN+gCg08PlPOaB43Nz9roPpjJ2y4vP
>>> bDwAnRm8tguT3laMqY1sz3T0eaKUzcnI
>>> =Wvgh
>>> -----END PGP SIGNATURE-----
>>
>>