On Tue, 2014-02-04 at 18:03 -0700, Jayson Hurst wrote:

Not 100% sure but i suspect that instead of creating that file with a private tmp file type you should us the existing:

kerberos_tmp_filetrans_host_rcache()

This will allow your domain to create these file with a type transition to the "host_rcache" file type, which is probably accessible by other relevant parties as well.

example:

optional-policy(` kerberos_tmp_filetrans_host_rcache(qasd_t) ')

This will work if you domain only uses /tmp for these kinds of files. (e.g. any files created in tmp will get the host_rcache file type)

If your domain creates other files straight into /tmp/ as well then you may want to use the second parameter that the kerberos-tmp_filetrans_host_rcache() supports (a file name)

But that kind of sucks because the file names are semi random (suffixed with uid)

So yes you might need to be creative there

Not sure though if i got this right or if this is optimal since i dont use kerberos.

If my daemon creates a file in /tmp which is labelled with my domains tmp file context as follows:

-rw-------. 1001 1000 unconfined_u:object_r:qasd_tmp_t:s0 /tmp/krb5cc_1001

other daemons such as sshd (which use kerberos) will need access to this file as well. Is there a way to grant that access from my policy without having to specify an exact allow rule for sshd?

I am seeing audit messages about this from audit2why.

type=AVC msg=audit(1391534896.381:2642): avc: denied { getattr } for pid=2070 comm="sshd" path="/tmp/krb5cc_1001" dev=dm-0 ino=281219 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:qasd_tmp_t:s0 tclass=file

audit2allow gives me the following allow rule:

allow sshd_t qasd_tmp_t:file { getattr unlink };

But I don't want to create specific allow rules like this if I can help it.

-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux