1 |
On Thu, 2008-03-20 at 11:17 -0400, Mike Edenfield wrote: |
2 |
> Chris PeBenito wrote: |
3 |
|
4 |
> > The above interface is for connecting to winbind over a unix domain |
5 |
> > socket. If you have a list of apps that want to communicate with |
6 |
> > windbind over that pipe, I can fix up the policy. |
7 |
> |
8 |
> Well, I have a list of apps that are trying to connect to winbind, but |
9 |
> they're not using the domain from that interface. That's kinda where my |
10 |
> confusion is coming from. The interface appears to grant access to the |
11 |
> pipe from /var/cache/samba/winbindd_privileged (which is labeled |
12 |
> winbind_var_run_t), but not the pipe from /tmp/.winbindd (which is |
13 |
> labeled winbind_tmp_t). My main concern was that something was wrong |
14 |
> with my setup that's making winbind not cooperate with the SELinux policy. |
15 |
|
16 |
Thats because, as I said in my previous response, the interface is for |
17 |
connecting over a unix domain socket. If we look at the macro |
18 |
stream_connect_pattern(), it has: |
19 |
|
20 |
allow $1 $2:dir search_dir_perms; |
21 |
allow $1 $3:sock_file { getattr write }; |
22 |
allow $1 $4:unix_stream_socket connectto; |
23 |
|
24 |
no mention of pipes (fifo_files). So to fix up the policy I have to |
25 |
make a new interface for rw on winbind_tmp_t fifo_files, and then make |
26 |
the appropriate domains call that interface. |
27 |
|
28 |
> But to actually address your email :), so far I've gotten AVC's from |
29 |
> these domains that I think have a legitimate reason to access winbind: |
30 |
> |
31 |
> crond_t, newrole_t, semanage_t (for genhomedircon), sshd_t, and the |
32 |
> various *_sudo_t domains. |
33 |
> |
34 |
> I also got warnings from portage_t.sandbox, because it runs tar. I can |
35 |
> see allow rules already in place for portage_t.sandbox -> winbind_tmp_t |
36 |
> for objects of type file, dir, and lnk_file, but I'm seeing messages for |
37 |
> winbind_tmp_t:sock_file as well. |
38 |
> |
39 |
> There was one from run_init_t, which appears to be when it runs the |
40 |
> samba startup script, and I'm not sure why it's accessing the winbind |
41 |
> pipe before it transitions into the samba domains. |
42 |
|
43 |
Are you using pam_winbind, pam_smbpass or nss_winbind on this system |
44 |
too? |
45 |
|
46 |
-- |
47 |
Chris PeBenito |
48 |
<pebenito@g.o> |
49 |
Developer, |
50 |
Hardened Gentoo Linux |
51 |
|
52 |
Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243 |
53 |
Key fingerprint = B0E6 877A 883F A57A 8E6A CB00 BC8E E42D E6AF 9243 |