VASD policy
Daniel J Walsh
dwalsh at redhat.com
Tue Jul 23 19:12:33 UTC 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 07/23/2013 11:14 AM, Tony Scully wrote:
> Hi Vadym,
>
> In fact vasd just runs unconfined under selinux; the issue you have is that
> sshd is running in the sshd_t context, but need to access some files, the
> vasd cache (I think it's via PAM) in /var/opt/quest/vas.
>
> Quest (now Dell) do provide a policy file which allows sshd to access
> these files, here's the text version:
>
>
> module sshdqas 1.0;
>
> require { type semanage_t; type var_t; type sshd_t; type initrc_t; class
> sock_file write; class unix_stream_socket connectto; class file { read
> write getattr open }; }
>
> #============= semanage_t ============== allow semanage_t var_t:sock_file
> write;
>
> #============= sshd_t ============== allow sshd_t
> initrc_t:unix_stream_socket connectto; allow sshd_t var_t:file open; allow
> sshd_t var_t:file { read write getattr }; allow sshd_t var_t:sock_file
> write;
>
>
Well in Fedora these should be labeled var_auth_t.
restorecon -R -v /var/opt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlHu1aEACgkQrlYvE4MpobOs+ACgvyOqx89Obd+oT99OCNyY1Tud
ddYAoLvXS/ZYjwfIyivEdtVbVm+LFt+v
=oN5b
-----END PGP SIGNATURE-----
More information about the selinux
mailing list