On 07/07/2009 04:28 PM, Daniel J Walsh wrote:
On 07/07/2009 09:07 AM, Jonathan Stott wrote:
2009/7/7 Daniel J Walshdwalsh@redhat.com:
So you intended on using the guest_t user? What does the te file created by audit2allow look like?
I think the problem here is the guest_t user is running at s0 and trying to write to a fifo_file at s0-s0:c0.c1023
If you take the above audit messages and run them through audit2why, what does the tool say?
It says the errors were caused by: Was caused by: Policy constraint violation.
May require adding a type attribute to the domain or type to
satisfy the constraint.
Constraints are defined in the policy sources in
policy/constraints (general), policy/mcs (MCS), and policy/mls (MLS).
And when I run them through audit2why gives me
#============= guest_t ============== allow guest_t sshd_t:fifo_file write;
Which looks vaguely sane to my untrained eye.
I'm not particularly wedded to the guest user in specific, but I would prefer it to have a minimal privilege user, since it has no need to do anything but manage the git repositories in the home directory.
Regards Jon
Ok I think the easiest thing for you to do now is change the range of the login user.
# semanage user -m -r s0-s0:c0.c1023 guest_u # semanage login -m -r s0-s0:c0.c1023 __default__
(If you use a user other then __default__ you would need to change this also.)
I will send a patch to F11 to allow communications to fifo_files running at different levels.
The patch has been added to selinux-policy-3.6.12-65.fc11
Regards Miroslav
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list