How do I generically allow access to a single socket file

Jayson Hurst swazup at hotmail.com
Wed Feb 12 22:51:07 UTC 2014 

All of the following audit messages are connected to the file:

/var/opt/quest/vas/vasd/.vasd40_ipc_sock

What is the preferred way to grant the appropriate access to the file when the domain that is going to need access to it is unknown? The context type when I am done will probably be qasd_var_auth_t, although I am not sure that matters at this point.

#============= hald_t ==============
allow hald_t var_auth_t:sock_file write;

#============= httpd_t ==============
allow httpd_t var_auth_t:dir search;
allow httpd_t var_auth_t:sock_file write;

#============= policykit_t ==============
allow policykit_t var_auth_t:dir search;
allow policykit_t var_auth_t:sock_file write;

#============= postfix_pickup_t ==============
allow postfix_pickup_t var_auth_t:dir search;
allow postfix_pickup_t var_auth_t:sock_file write;
allow postfix_pickup_t qasd_t:unix_stream_socket connectto;

#============= postfix_qmgr_t ==============
allow postfix_qmgr_t var_auth_t:dir search;
allow postfix_qmgr_t var_auth_t:sock_file write;
allow postfix_qmgr_t qasd_t:unix_stream_socket connectto;

#============= system_dbusd_t ==============
allow system_dbusd_t var_auth_t:sock_file write;
allow system_dbusd_t qasd_t:unix_stream_socket connectto;

#============= xdm_dbusd_t ==============
allow xdm_dbusd_t var_auth_t:dir search;
allow xdm_dbusd_t var_auth_t:sock_file write;
allow xdm_dbusd_t qasd_t:unix_stream_socket connectto;

#============= xdm_t ==============
allow xdm_t qasd_t:unix_stream_socket connectto;

# audit(1392243009.026:13):
#  scontext="system_u:system_r:postfix_qmgr_t:s0" tcontext="system_u:system_r:qasd_t:s0"
#  class="unix_stream_socket" perms="connectto"
#  comm="qmgr" exe="" path=""
#  message="type=AVC msg=audit(1392243009.026:13): avc:  denied  { connectto }
#   for  pid=1674 comm="qmgr" path="/var/opt/quest/vas/vasd/.vasd40_ipc_sock"
#   scontext=system_u:system_r:postfix_qmgr_t:s0
#   tcontext=system_u:system_r:qasd_t:s0 tclass=unix_stream_socket"

I am also seeing the reverse of this with fifo_files (grant myself write, getattr access) to an unknown domain.

allow qasd_t httpd_t:fifo_file { write getattr };
allow qasd_t policykit_t:fifo_file { write getattr };
allow qasd_t postfix_pickup_t:fifo_file { write getattr };
allow qasd_t postfix_qmgr_t:fifo_file { write getattr };
allow qasd_t xdm_dbusd_t:fifo_file { write getattr };

audit(1392243659.181:125):
#  scontext="system_u:system_r:qasd_t:s0" tcontext="unconfined_u:system_r:httpd_t:s0"
#  class="fifo_file" perms="write"
#  comm=".qasd" exe="" path=""
#  message="type=AVC msg=audit(1392243659.181:125): avc:  denied  { write } for
#   pid=1270 comm=".vasd" path="pipe:[22222]" dev=pipefs ino=22222
#   scontext=system_u:system_r:qasd_t:s0
#   tcontext=unconfined_u:system_r:httpd_t:s0 tclass=fifo_file
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/selinux/attachments/20140212/02546018/attachment-0001.html>

More information about the selinux mailing list