1 |
Chris PeBenito wrote: |
2 |
|
3 |
> type_transition statements in the policy are mechanisms for changing the |
4 |
> default context on objects. Its what makes it possible for 99% of the |
5 |
> apps to be SELinux-ignorant. |
6 |
|
7 |
Ok, that does make perfect sense. I guess I need to look harder next |
8 |
time when trying to decipher these AVC messages. |
9 |
|
10 |
> The above interface is for connecting to winbind over a unix domain |
11 |
> socket. If you have a list of apps that want to communicate with |
12 |
> windbind over that pipe, I can fix up the policy. |
13 |
|
14 |
Well, I have a list of apps that are trying to connect to winbind, but |
15 |
they're not using the domain from that interface. That's kinda where my |
16 |
confusion is coming from. The interface appears to grant access to the |
17 |
pipe from /var/cache/samba/winbindd_privileged (which is labeled |
18 |
winbind_var_run_t), but not the pipe from /tmp/.winbindd (which is |
19 |
labeled winbind_tmp_t). My main concern was that something was wrong |
20 |
with my setup that's making winbind not cooperate with the SELinux policy. |
21 |
|
22 |
But to actually address your email :), so far I've gotten AVC's from |
23 |
these domains that I think have a legitimate reason to access winbind: |
24 |
|
25 |
crond_t, newrole_t, semanage_t (for genhomedircon), sshd_t, and the |
26 |
various *_sudo_t domains. |
27 |
|
28 |
I also got warnings from portage_t.sandbox, because it runs tar. I can |
29 |
see allow rules already in place for portage_t.sandbox -> winbind_tmp_t |
30 |
for objects of type file, dir, and lnk_file, but I'm seeing messages for |
31 |
winbind_tmp_t:sock_file as well. |
32 |
|
33 |
There was one from run_init_t, which appears to be when it runs the |
34 |
samba startup script, and I'm not sure why it's accessing the winbind |
35 |
pipe before it transitions into the samba domains. |
36 |
|
37 |
--Mike |
38 |
|
39 |
|
40 |
|
41 |
|
42 |
|
43 |
-- |
44 |
gentoo-hardened@l.g.o mailing list |