On Feb 1, 2012, at 11:50 AM, Daniel J Walsh wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 02/01/2012 11:37 AM, Maria Iano wrote:
On Feb 1, 2012, at 11:30 AM, Daniel J Walsh wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 01/31/2012 05:33 PM, Maria Iano wrote:
I have a RHEL 6.2 server running LikewiseOpen. It appears to me that I will take care of a large number of denials if I can change the type of /var/lib/likewise/.lsassd to be lsassd_var_socket_t.
I added the file context rule with semanage, and used restorecon to change it to lsassd_var_socket_t as desired. But later I found that /var/lib/likewise/.lsassd had type var_lib_t again. I assume that is because the likewise processes run as initrc_t.
I'd like to change the policy and tell it that services running in either initrc_t or unconfined_t domains should create the file /var/lib/likewise/.lsassd with type lsassd_var_socket_t. (A command line tool lwsm for managing the processes runs in unconfined_t so I'd like to include that domain to be safe. ) How can I go about doing that in RHEL 6 (or can I)?
Thanks, Maria -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
What label do you have on /var/lib/likewise?
system_u:object_r:var_lib_t:s0
In that case why not just label it lsassd_var_lib_t
Currently the labeling is
/var/lib/likewise-open(/.*)? gen_context(system_u:object_r:likewise_var_lib_t,s0)
If you label it similar, then you have a step in the right direction.
I am not sure who wrote policy for the likewise domain, but I think I would eliminate all of the different labels. But I guess that is the way it is.
If unconfined_t is creating a socket in the directory then I guess it would be listening on the socket, but other domains would not be allowed to communicate.
One potential option if you got all of the labeling correct would be to use restorecond.
I actually had somehow not noticed those file contexts for the likewise-open directories, thank you. I added all of the file contexts for likewise (which involved replacing likewise-open with likewise to match my system). I also turned on the restorecond service. When restorecond is not running the file /var/lib/likewise/.lsassd does get relabeled incorrectly but now that restorecond is running it's being fixed immediately. Thank you!