VASD policy
Vadym Chepkov
vchepkov at gmail.com
Thu Jan 23 19:29:29 UTC 2014
On Jul 23, 2013, at 11:14 AM, Tony Scully <tonyjscully at gmail.com> wrote:
> Hi Vadym,
>
> In fact vasd just runs unconfined under selinux; the issue you have is that sshd is running in the sshd_t context, but need to access some files, the vasd cache (I think it's via PAM) in /var/opt/quest/vas.
>
> Quest (now Dell) do provide a policy file which allows sshd to access these files, here's the text version:
>
>
> module sshdqas 1.0;
>
> require {
> type semanage_t;
> type var_t;
> type sshd_t;
> type initrc_t;
> class sock_file write;
> class unix_stream_socket connectto;
> class file { read write getattr open };
> }
>
> #============= semanage_t ==============
> allow semanage_t var_t:sock_file write;
>
> #============= sshd_t ==============
> allow sshd_t initrc_t:unix_stream_socket connectto;
> allow sshd_t var_t:file open;
> allow sshd_t var_t:file { read write getattr };
> allow sshd_t var_t:sock_file write;
>
>
>
> Which as you can see, just allows sshd to access var_t labelled files -- might be considered too permssive?
>
> But vasd itself should run ( and is 'supported') unconfined under selinux.
>
It looks like a workaround to me, not a proper policy, but at least I don’t have do disable SELinux.
I ended up with this:
module qas 1.0;
require {
type var_auth_t;
type sshd_t;
type system_dbusd_t;
type initrc_t;
class sock_file write;
class unix_stream_socket connectto;
class file { read write getattr open };
}
allow sshd_t initrc_t:unix_stream_socket connectto;
allow sshd_t var_auth_t:file { open read write getattr };
allow sshd_t var_auth_t:sock_file write;
allow system_dbusd_t initrc_t:unix_stream_socket connectto;
allow system_dbusd_t var_auth_t:file { open read write getattr };
allow system_dbusd_t var_auth_t:sock_file write;
Thanks,
Vadym
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/selinux/attachments/20140123/65f02ef9/attachment.html>
More information about the selinux
mailing list