1 |
On Thu, 2008-03-20 at 15:37 -0400, Mike Edenfield wrote: |
2 |
> Chris PeBenito wrote: |
3 |
> > On Thu, 2008-03-20 at 11:17 -0400, Mike Edenfield wrote: |
4 |
> >> Chris PeBenito wrote: |
5 |
> > |
6 |
> > Thats because, as I said in my previous response, the interface is for |
7 |
> > connecting over a unix domain socket. If we look at the macro |
8 |
> > stream_connect_pattern(), it has: |
9 |
> > |
10 |
> > allow $1 $2:dir search_dir_perms; |
11 |
> > allow $1 $3:sock_file { getattr write }; |
12 |
> > allow $1 $4:unix_stream_socket connectto; |
13 |
> > |
14 |
> > no mention of pipes (fifo_files). So to fix up the policy I have to |
15 |
> > make a new interface for rw on winbind_tmp_t fifo_files, and then make |
16 |
> > the appropriate domains call that interface. |
17 |
> |
18 |
> Ok, sorry for being so confused here. I'm obviously using the word |
19 |
> "pipe" much too loosely and inaccurately. The file in /tmp/.winbind is |
20 |
> also a unix domain socket, not a named pipe (though the winbindd(8) man |
21 |
> page calls it a "pipe"): |
22 |
> |
23 |
> # ls -lFZ /tmp/.winbindd |
24 |
> srwxrwxrwx+ 1 root root system_u:object_r:winbind_tmp_t 0 Mar 18 17:12 pipe= |
25 |
|
26 |
Ah, now things are making sense. Its unfortunate that they name the |
27 |
socket "pipe". |
28 |
|
29 |
> The messages I'm getting look like this: |
30 |
> |
31 |
> type=AVC msg=audit(1205875201.198:114): avc: denied { getattr } for |
32 |
> pid=4806 comm="cron" path="/tmp/.winbindd" dev=hda3 ino=4374539 |
33 |
> scontext=system_u:system_r:crond_t |
34 |
> tcontext=system_u:object_r:winbind_tmp_t tclass=dir |
35 |
> type=AVC msg=audit(1205875201.198:115): avc: denied { search } for |
36 |
> pid=4806 comm="cron" name=".winbindd" dev=hda3 ino=4374539 |
37 |
> scontext=system_u:system_r:crond_t |
38 |
> tcontext=system_u:object_r:winbind_tmp_t tclass=dir |
39 |
> type=AVC msg=audit(1205875201.198:115): avc: denied { getattr } for |
40 |
> pid=4806 comm="cron" path="/tmp/.winbindd/pipe" dev=hda3 ino=4374540 |
41 |
> scontext=system_u:system_r:crond_t |
42 |
> tcontext=system_u:object_r:winbind_tmp_t tclass=sock_file |
43 |
> type=AVC msg=audit(1205875201.198:116): avc: denied { write } for |
44 |
> pid=4806 comm="cron" name="pipe" dev=hda3 ino=4374540 |
45 |
> scontext=system_u:system_r:crond_t |
46 |
> tcontext=system_u:object_r:winbind_tmp_t tclass=sock_file |
47 |
> |
48 |
> |
49 |
> >> But to actually address your email :), so far I've gotten AVC's from |
50 |
> >> these domains that I think have a legitimate reason to access winbind: |
51 |
> >> |
52 |
> >> crond_t, newrole_t, semanage_t (for genhomedircon), sshd_t, and the |
53 |
> >> various *_sudo_t domains. |
54 |
> >> |
55 |
> >> I also got warnings from portage_t.sandbox, because it runs tar. I can |
56 |
> >> see allow rules already in place for portage_t.sandbox -> winbind_tmp_t |
57 |
> >> for objects of type file, dir, and lnk_file, but I'm seeing messages for |
58 |
> >> winbind_tmp_t:sock_file as well. |
59 |
> >> |
60 |
> >> There was one from run_init_t, which appears to be when it runs the |
61 |
> >> samba startup script, and I'm not sure why it's accessing the winbind |
62 |
> >> pipe before it transitions into the samba domains. |
63 |
> > |
64 |
> > Are you using pam_winbind, pam_smbpass or nss_winbind on this system |
65 |
> > too? |
66 |
> |
67 |
> Yes, I'm using both pam_winbind and nss_winbind. pam_winbind is in my |
68 |
> system-auth pam configuration, and nss_winbind is being used by nss for |
69 |
> passwd, group, and shadow. |
70 |
|
71 |
Now that things make sense, fixing up that interface that you mentioned |
72 |
earlier in the thread should do it. |
73 |
|
74 |
-- |
75 |
Chris PeBenito |
76 |
<pebenito@g.o> |
77 |
Developer, |
78 |
Hardened Gentoo Linux |
79 |
|
80 |
Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243 |
81 |
Key fingerprint = B0E6 877A 883F A57A 8E6A CB00 BC8E E42D E6AF 9243 |