Got things working, but not sure how
Stephen Smalley
sds at tycho.nsa.gov
Thu Mar 4 13:12:15 UTC 2010
On Wed, 2010-03-03 at 18:10 -0500, Scott Salley wrote:
> I’d like to thank the mailing list inhabitants for all the help you’ve
> given me. So, Thanks!
>
>
>
> I modified the targeted policy for Fedora 12 and got Likewise Open to
> install, join Active Directory, and allow users to authenticate
> without any problems! The problem is, I’m not quite sure what some of
> the rules do and whether they are necessary.
>
>
>
> For example, I patched the authentication daemon (lsassd) to properly
> set up the user’s home directory and I’m using matchpathcon(3) and
> setfilecon(3). At first, matchpathcon would fail but I could find *no*
> messages indicating a problem.
Use semodule -DB, as described in:
http://docs.fedoraproject.org/selinux-user-guide/f12/en-US/sect-Security-Enhanced_Linux-Fixing_Problems-Possible_Causes_of_Silent_Denials.html
And later revert with semodule -B.
> I finally copied a block of rules from another policy and that
> worked.
>
>
>
> The rules I copied are:
>
> selinux_get_fs_mount(lsassd_t)
>
> selinux_validate_context(lsassd_t)
>
> selinux_compute_access_vector(lsassd_t)
>
> selinux_compute_create_context(lsassd_t)
>
> selinux_compute_relabel_context(lsassd_t)
>
> selinux_compute_user_contexts(lsassd_t)
I don't think you need any of the selinux_compute_* interfaces.
> Now I could try things one by one and see what works and what doesn’t,
> but I have some other rule blocks where I have the same type of
> problem and then a combinatorial explosion gets involved. I have also
> tried looking things up online, but pages like this
> (http://www.softeh.ro/doc/selinux-policy-2.2.23/html/kernel_selinux.html) did not really help me for many of the rules.
>
>
>
> What have I missed? Is there another level of logging I could turn on
> somewhere?
Yes, semodule -DB.
--
Stephen Smalley
National Security Agency
More information about the selinux
mailing list