| 1 |
Chris PeBenito wrote: |
| 2 |
|
| 3 |
> type_transition statements in the policy are mechanisms for changing the |
| 4 |
> default context on objects. Its what makes it possible for 99% of the |
| 5 |
> apps to be SELinux-ignorant. |
| 6 |
|
| 7 |
Ok, that does make perfect sense. I guess I need to look harder next |
| 8 |
time when trying to decipher these AVC messages. |
| 9 |
|
| 10 |
> The above interface is for connecting to winbind over a unix domain |
| 11 |
> socket. If you have a list of apps that want to communicate with |
| 12 |
> windbind over that pipe, I can fix up the policy. |
| 13 |
|
| 14 |
Well, I have a list of apps that are trying to connect to winbind, but |
| 15 |
they're not using the domain from that interface. That's kinda where my |
| 16 |
confusion is coming from. The interface appears to grant access to the |
| 17 |
pipe from /var/cache/samba/winbindd_privileged (which is labeled |
| 18 |
winbind_var_run_t), but not the pipe from /tmp/.winbindd (which is |
| 19 |
labeled winbind_tmp_t). My main concern was that something was wrong |
| 20 |
with my setup that's making winbind not cooperate with the SELinux policy. |
| 21 |
|
| 22 |
But to actually address your email :), so far I've gotten AVC's from |
| 23 |
these domains that I think have a legitimate reason to access winbind: |
| 24 |
|
| 25 |
crond_t, newrole_t, semanage_t (for genhomedircon), sshd_t, and the |
| 26 |
various *_sudo_t domains. |
| 27 |
|
| 28 |
I also got warnings from portage_t.sandbox, because it runs tar. I can |
| 29 |
see allow rules already in place for portage_t.sandbox -> winbind_tmp_t |
| 30 |
for objects of type file, dir, and lnk_file, but I'm seeing messages for |
| 31 |
winbind_tmp_t:sock_file as well. |
| 32 |
|
| 33 |
There was one from run_init_t, which appears to be when it runs the |
| 34 |
samba startup script, and I'm not sure why it's accessing the winbind |
| 35 |
pipe before it transitions into the samba domains. |
| 36 |
|
| 37 |
--Mike |
| 38 |
|
| 39 |
|
| 40 |
|
| 41 |
|
| 42 |
|
| 43 |
-- |
| 44 |
gentoo-hardened@l.g.o mailing list |
Archives