How do I generically allow access to a single socket file

Jayson Hurst swazup at hotmail.com
Thu Feb 13 16:18:19 UTC 2014 

Thanks,

I am currently doing some similar to that and I didn't know if that was considered too open.

> Date: Thu, 13 Feb 2014 09:27:42 -0500
> From: dwalsh at redhat.com
> To: swazup at hotmail.com; selinux at lists.fedoraproject.org
> Subject: Re: How do I generically allow access to a single socket file
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On 02/12/2014 05:51 PM, Jayson Hurst wrote:
> > All of the following audit messages are connected to the file:
> > 
> > /var/opt/quest/vas/vasd/.vasd40_ipc_sock
> > 
> > What is the preferred way to grant the appropriate access to the file when
> > the domain that is going to need access to it is unknown? The context type
> > when I am done will probably be qasd_var_auth_t, although I am not sure
> > that matters at this point.
> > 
> > #============= hald_t ============== allow hald_t var_auth_t:sock_file
> > write;
> > 
> > #============= httpd_t ============== allow httpd_t var_auth_t:dir search; 
> > allow httpd_t var_auth_t:sock_file write;
> > 
> > #============= policykit_t ============== allow policykit_t var_auth_t:dir
> > search; allow policykit_t var_auth_t:sock_file write;
> > 
> > #============= postfix_pickup_t ============== allow postfix_pickup_t
> > var_auth_t:dir search; allow postfix_pickup_t var_auth_t:sock_file write; 
> > allow postfix_pickup_t qasd_t:unix_stream_socket connectto;
> > 
> > #============= postfix_qmgr_t ============== allow postfix_qmgr_t
> > var_auth_t:dir search; allow postfix_qmgr_t var_auth_t:sock_file write; 
> > allow postfix_qmgr_t qasd_t:unix_stream_socket connectto;
> > 
> > #============= system_dbusd_t ============== allow system_dbusd_t
> > var_auth_t:sock_file write; allow system_dbusd_t qasd_t:unix_stream_socket
> > connectto;
> > 
> > #============= xdm_dbusd_t ============== allow xdm_dbusd_t var_auth_t:dir
> > search; allow xdm_dbusd_t var_auth_t:sock_file write; allow xdm_dbusd_t
> > qasd_t:unix_stream_socket connectto;
> > 
> > #============= xdm_t ============== allow xdm_t qasd_t:unix_stream_socket
> > connectto;
> > 
> > # audit(1392243009.026:13): #
> > scontext="system_u:system_r:postfix_qmgr_t:s0" 
> > tcontext="system_u:system_r:qasd_t:s0" #  class="unix_stream_socket"
> > perms="connectto" #  comm="qmgr" exe="" path="" #  message="type=AVC
> > msg=audit(1392243009.026:13): avc:  denied  { connectto } #   for  pid=1674
> > comm="qmgr" path="/var/opt/quest/vas/vasd/.vasd40_ipc_sock" #
> > scontext=system_u:system_r:postfix_qmgr_t:s0 #
> > tcontext=system_u:system_r:qasd_t:s0 tclass=unix_stream_socket"
> > 
> > I am also seeing the reverse of this with fifo_files (grant myself write, 
> > getattr access) to an unknown domain.
> > 
> > allow qasd_t httpd_t:fifo_file { write getattr }; allow qasd_t
> > policykit_t:fifo_file { write getattr }; allow qasd_t
> > postfix_pickup_t:fifo_file { write getattr }; allow qasd_t
> > postfix_qmgr_t:fifo_file { write getattr }; allow qasd_t
> > xdm_dbusd_t:fifo_file { write getattr };
> > 
> > audit(1392243659.181:125): #  scontext="system_u:system_r:qasd_t:s0" 
> > tcontext="unconfined_u:system_r:httpd_t:s0" #  class="fifo_file"
> > perms="write" #  comm=".qasd" exe="" path="" #  message="type=AVC
> > msg=audit(1392243659.181:125): avc:  denied  { write } for #   pid=1270
> > comm=".vasd" path="pipe:[22222]" dev=pipefs ino=22222 #
> > scontext=system_u:system_r:qasd_t:s0 #
> > tcontext=unconfined_u:system_r:httpd_t:s0 tclass=fifo_file
> 
> On all SELinux systems you can allow all domains to do this by allowing 'domain".
> 
> So you want to create an interface qasd_stream_connect, and then call it with
> domain
> 
> qasd_stream_connect(domain)
> 
> On newer systems from Fedora/RHEL7, you could use the attribute
> nsswitch_domain which is all domains that call getpw*
> 
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
> 
> iEYEARECAAYFAlL81l4ACgkQrlYvE4MpobOmWgCfVL18uFl6fsJc6XO1pc+3JGaj
> 5coAnjeNwapBdJxh3UtNh0/mebQAWCYx
> =SXXd
> -----END PGP SIGNATURE-----
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/selinux/attachments/20140213/0310b38a/attachment.html>

More information about the selinux mailing list