1 |
On Wed, 2008-03-19 at 11:21 -0400, Mike Edenfield wrote: |
2 |
> I'm trying to track down a bunch of AVC denials related to winbindd on |
3 |
> one of our file servers, and I'm confused as to how winbindd is supposed |
4 |
> to work with SELinux. Specifically, it looks like the UNIX pipe used to |
5 |
> talk to winbindd is in a different place on my system than SELinux |
6 |
> expects to find it. |
7 |
> |
8 |
> I have a pipe in /tmp/.winbindd/pipe which was labelled winbind_tmp_t. |
9 |
> However, when I check the file_contexts file, and the .fc files from the |
10 |
> reference policy, I don't see any mention of /tmp/.winbindd. So my |
11 |
> first question is, how is this file getting a label that doesn't seem to |
12 |
> exist in the policy? |
13 |
|
14 |
The type definitely exists, its just not in the file contexts. |
15 |
type_transition statements in the policy are mechanisms for changing the |
16 |
default context on objects. Its what makes it possible for 99% of the |
17 |
apps to be SELinux-ignorant. |
18 |
|
19 |
> More importantly, the interface file for samba includes an interface |
20 |
> macro to grant access to winbind's communication pipe, but it looks like |
21 |
> this: |
22 |
> |
23 |
> interface(`samba_stream_connect_winbind',` |
24 |
> gen_require(` |
25 |
> type samba_var_t, winbind_t, winbind_var_run_t; |
26 |
> ') |
27 |
> |
28 |
> files_search_pids($1) |
29 |
> allow $1 samba_var_t:dir search_dir_perms; |
30 |
> |
31 |
> stream_connect_pattern($1,winbind_var_run_t,winbind_var_run_t,winbind_t) |
32 |
> ') |
33 |
> |
34 |
> I don't see any mention of winbind_tmp_t there, but I do see |
35 |
> winbind_var_run_t. I've also seen other posts to this list that seem to |
36 |
> indicate winbind creates it's UNIX pipe in /var/run/winbindd, which *is* |
37 |
> listed in file_contexts but isn't anywhere on my system. The |
38 |
> documentation for samba also makes no mention of /var/run/winbindd, but |
39 |
> does specifically mention /tmp/.winbindd. |
40 |
|
41 |
The above interface is for connecting to winbind over a unix domain |
42 |
socket. If you have a list of apps that want to communicate with |
43 |
windbind over that pipe, I can fix up the policy. |
44 |
|
45 |
-- |
46 |
Chris PeBenito |
47 |
<pebenito@g.o> |
48 |
Developer, |
49 |
Hardened Gentoo Linux |
50 |
|
51 |
Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243 |
52 |
Key fingerprint = B0E6 877A 883F A57A 8E6A CB00 BC8E E42D E6AF 9243 |