VASD policy

Vadym Chepkov vchepkov at gmail.com
Thu Jan 23 19:29:29 UTC 2014 

On Jul 23, 2013, at 11:14 AM, Tony Scully <tonyjscully at gmail.com> wrote:

> Hi Vadym,
> 
> In fact vasd just runs unconfined under selinux; the issue you have is that sshd is running in the sshd_t context, but need to access some files, the vasd cache (I think it's via PAM) in /var/opt/quest/vas.
> 
> Quest (now Dell) do provide a policy file which allows sshd to access these files, here's the text version:
> 
> 
> module sshdqas 1.0;
> 
> require {
>         type semanage_t;
>         type var_t;
>         type sshd_t;
>         type initrc_t;
>         class sock_file write;
>         class unix_stream_socket connectto;
>         class file { read write getattr open };
> }
> 
> #============= semanage_t ==============
> allow semanage_t var_t:sock_file write;
> 
> #============= sshd_t ==============
> allow sshd_t initrc_t:unix_stream_socket connectto;
> allow sshd_t var_t:file open;
> allow sshd_t var_t:file { read write getattr };
> allow sshd_t var_t:sock_file write;
> 
> 
> 
> Which as you can see, just allows sshd to access var_t labelled files -- might be considered too permssive?
> 
> But vasd itself should run ( and is 'supported') unconfined under selinux.
> 


It looks like a workaround to me, not a proper policy, but at least I don’t have do disable SELinux.
I ended up with this:

module qas 1.0;

require {
        type var_auth_t;
        type sshd_t;
        type system_dbusd_t;
        type initrc_t;
        class sock_file write;
        class unix_stream_socket connectto;
        class file { read write getattr open };
}

allow sshd_t initrc_t:unix_stream_socket connectto;
allow sshd_t var_auth_t:file { open read write getattr };
allow sshd_t var_auth_t:sock_file write;

allow system_dbusd_t initrc_t:unix_stream_socket connectto;
allow system_dbusd_t var_auth_t:file { open read write getattr };
allow system_dbusd_t var_auth_t:sock_file write;

Thanks,
Vadym





-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/selinux/attachments/20140123/65f02ef9/attachment.html>

More information about the selinux mailing list