On 09/10/2009 08:16 AM, Nathan Kinder wrote:
On 09/10/2009 07:40 AM, Jenny Galipeau wrote:
Simo Sorce wrote:
On Thu, 2009-09-10 at 10:20 -0400, Rob Crittenden wrote:
Rob Crittenden wrote:
The management framework wasn't working with SELinux over ldapi because it lacked permission to access the unix socket. This patch grants permission.


Probably easier to review with the patch attached.

The patch was attached :-)

One question comes to mind though, you are giving access to any socket
labeled initrc_t (if my selinux policy reading skills are good enough,
which may not be).

Shouldn't we discuss with the DS team to have a more specific label for
this socket ?
Nathan is currently working on the DS SELinux policy ...
There is no SELinux policy for currently released DS versions, so the context can not be anything DS specific. I would have guessed that the label would be var_run_t since the ldapi socket should be in /var/run/dirsrv, which would inherit the label from the parent directory.
I want to correct myself just to avoid confusion. The ldapi socket will be in /var/run, not /var/run/dirsrv. It was moved a while back to be in a more standard location. I'm pretty sure that Rob has already encountered this, but I didn't want to spread any incorrect information.

In the policy that I'm working on, the ldapi socket has a label of dirsrv_var_run_t.
Simo.




_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to