| 1 |
Chris PeBenito wrote: |
| 2 |
> On Thu, 2008-03-20 at 11:17 -0400, Mike Edenfield wrote: |
| 3 |
>> Chris PeBenito wrote: |
| 4 |
> |
| 5 |
> Thats because, as I said in my previous response, the interface is for |
| 6 |
> connecting over a unix domain socket. If we look at the macro |
| 7 |
> stream_connect_pattern(), it has: |
| 8 |
> |
| 9 |
> allow $1 $2:dir search_dir_perms; |
| 10 |
> allow $1 $3:sock_file { getattr write }; |
| 11 |
> allow $1 $4:unix_stream_socket connectto; |
| 12 |
> |
| 13 |
> no mention of pipes (fifo_files). So to fix up the policy I have to |
| 14 |
> make a new interface for rw on winbind_tmp_t fifo_files, and then make |
| 15 |
> the appropriate domains call that interface. |
| 16 |
|
| 17 |
Ok, sorry for being so confused here. I'm obviously using the word |
| 18 |
"pipe" much too loosely and inaccurately. The file in /tmp/.winbind is |
| 19 |
also a unix domain socket, not a named pipe (though the winbindd(8) man |
| 20 |
page calls it a "pipe"): |
| 21 |
|
| 22 |
# ls -lFZ /tmp/.winbindd |
| 23 |
srwxrwxrwx+ 1 root root system_u:object_r:winbind_tmp_t 0 Mar 18 17:12 pipe= |
| 24 |
|
| 25 |
The messages I'm getting look like this: |
| 26 |
|
| 27 |
type=AVC msg=audit(1205875201.198:114): avc: denied { getattr } for |
| 28 |
pid=4806 comm="cron" path="/tmp/.winbindd" dev=hda3 ino=4374539 |
| 29 |
scontext=system_u:system_r:crond_t |
| 30 |
tcontext=system_u:object_r:winbind_tmp_t tclass=dir |
| 31 |
type=AVC msg=audit(1205875201.198:115): avc: denied { search } for |
| 32 |
pid=4806 comm="cron" name=".winbindd" dev=hda3 ino=4374539 |
| 33 |
scontext=system_u:system_r:crond_t |
| 34 |
tcontext=system_u:object_r:winbind_tmp_t tclass=dir |
| 35 |
type=AVC msg=audit(1205875201.198:115): avc: denied { getattr } for |
| 36 |
pid=4806 comm="cron" path="/tmp/.winbindd/pipe" dev=hda3 ino=4374540 |
| 37 |
scontext=system_u:system_r:crond_t |
| 38 |
tcontext=system_u:object_r:winbind_tmp_t tclass=sock_file |
| 39 |
type=AVC msg=audit(1205875201.198:116): avc: denied { write } for |
| 40 |
pid=4806 comm="cron" name="pipe" dev=hda3 ino=4374540 |
| 41 |
scontext=system_u:system_r:crond_t |
| 42 |
tcontext=system_u:object_r:winbind_tmp_t tclass=sock_file |
| 43 |
|
| 44 |
|
| 45 |
>> But to actually address your email :), so far I've gotten AVC's from |
| 46 |
>> these domains that I think have a legitimate reason to access winbind: |
| 47 |
>> |
| 48 |
>> crond_t, newrole_t, semanage_t (for genhomedircon), sshd_t, and the |
| 49 |
>> various *_sudo_t domains. |
| 50 |
>> |
| 51 |
>> I also got warnings from portage_t.sandbox, because it runs tar. I can |
| 52 |
>> see allow rules already in place for portage_t.sandbox -> winbind_tmp_t |
| 53 |
>> for objects of type file, dir, and lnk_file, but I'm seeing messages for |
| 54 |
>> winbind_tmp_t:sock_file as well. |
| 55 |
>> |
| 56 |
>> There was one from run_init_t, which appears to be when it runs the |
| 57 |
>> samba startup script, and I'm not sure why it's accessing the winbind |
| 58 |
>> pipe before it transitions into the samba domains. |
| 59 |
> |
| 60 |
> Are you using pam_winbind, pam_smbpass or nss_winbind on this system |
| 61 |
> too? |
| 62 |
|
| 63 |
Yes, I'm using both pam_winbind and nss_winbind. pam_winbind is in my |
| 64 |
system-auth pam configuration, and nss_winbind is being used by nss for |
| 65 |
passwd, group, and shadow. |
| 66 |
|
| 67 |
--Mike |
| 68 |
|
| 69 |
-- |
| 70 |
gentoo-hardened@l.g.o mailing list |
Archives