| 1 |
On Wed, 2008-03-19 at 11:21 -0400, Mike Edenfield wrote: |
| 2 |
> I'm trying to track down a bunch of AVC denials related to winbindd on |
| 3 |
> one of our file servers, and I'm confused as to how winbindd is supposed |
| 4 |
> to work with SELinux. Specifically, it looks like the UNIX pipe used to |
| 5 |
> talk to winbindd is in a different place on my system than SELinux |
| 6 |
> expects to find it. |
| 7 |
> |
| 8 |
> I have a pipe in /tmp/.winbindd/pipe which was labelled winbind_tmp_t. |
| 9 |
> However, when I check the file_contexts file, and the .fc files from the |
| 10 |
> reference policy, I don't see any mention of /tmp/.winbindd. So my |
| 11 |
> first question is, how is this file getting a label that doesn't seem to |
| 12 |
> exist in the policy? |
| 13 |
|
| 14 |
The type definitely exists, its just not in the file contexts. |
| 15 |
type_transition statements in the policy are mechanisms for changing the |
| 16 |
default context on objects. Its what makes it possible for 99% of the |
| 17 |
apps to be SELinux-ignorant. |
| 18 |
|
| 19 |
> More importantly, the interface file for samba includes an interface |
| 20 |
> macro to grant access to winbind's communication pipe, but it looks like |
| 21 |
> this: |
| 22 |
> |
| 23 |
> interface(`samba_stream_connect_winbind',` |
| 24 |
> gen_require(` |
| 25 |
> type samba_var_t, winbind_t, winbind_var_run_t; |
| 26 |
> ') |
| 27 |
> |
| 28 |
> files_search_pids($1) |
| 29 |
> allow $1 samba_var_t:dir search_dir_perms; |
| 30 |
> |
| 31 |
> stream_connect_pattern($1,winbind_var_run_t,winbind_var_run_t,winbind_t) |
| 32 |
> ') |
| 33 |
> |
| 34 |
> I don't see any mention of winbind_tmp_t there, but I do see |
| 35 |
> winbind_var_run_t. I've also seen other posts to this list that seem to |
| 36 |
> indicate winbind creates it's UNIX pipe in /var/run/winbindd, which *is* |
| 37 |
> listed in file_contexts but isn't anywhere on my system. The |
| 38 |
> documentation for samba also makes no mention of /var/run/winbindd, but |
| 39 |
> does specifically mention /tmp/.winbindd. |
| 40 |
|
| 41 |
The above interface is for connecting to winbind over a unix domain |
| 42 |
socket. If you have a list of apps that want to communicate with |
| 43 |
windbind over that pipe, I can fix up the policy. |
| 44 |
|
| 45 |
-- |
| 46 |
Chris PeBenito |
| 47 |
<pebenito@g.o> |
| 48 |
Developer, |
| 49 |
Hardened Gentoo Linux |
| 50 |
|
| 51 |
Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243 |
| 52 |
Key fingerprint = B0E6 877A 883F A57A 8E6A CB00 BC8E E42D E6AF 9243 |
Archives