From: ossman@cendio.se (Pierre Ossman) Date: Thu, 24 Mar 2011 11:00:48 +0100 Subject: [refpolicy] help getting our application ThinLinc working with the reference policy In-Reply-To: <4D8A389F.5060307@redhat.com> References: <20110323163515.4af59493@ossman.lkpg.cendio.se> <4D8A389F.5060307@redhat.com> Message-ID: <20110324110048.53087a1c@ossman.lkpg.cendio.se> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, 23 Mar 2011 14:14:55 -0400 Daniel J Walsh wrote: > > One idea would be to label your instance that is creating users as > login_exec_t or sshd_exec_t > sshd_t seemed a bit too blatantly wrong, but login_t might be an acceptable temporary fix. It does seem to have the privileges needed. I do hit another error on Fedora 14: type=AVC msg=audit(1300960436.289:102497): avc: denied { write } for pid=9695 comm="xauth" name="3" dev=dm-0 ino=2366192 scontext=unconfined_u:unconfined_r:xauth_t:s0 tcontext=unconfined_u:object_r:var_t:s0 tclass=dir I don't see this AVC on el6 and I can't recall seeing it on older Fedoras, so this is a recent restriction. The directory it tries to write to is /var/opt/thinlinc/sessions///, hence the var_t. Is this a Red Hat modification or part of refpolicy? If the former, could the restriction be relaxed? :) > Best case would be to write some policy to allow the access, based off > one of these domains. Indeed. I'd like to have a proper policy for all the privileged processes, but time is unfortunately a restricting factor. I'll make an attempt at sorting out a basic module for this session starting process, but login_t will have to be plan B. Rgds - -- Pierre Ossman OpenSource-based Thin Client Technology System Developer Telephone: +46-13-21 46 00 Cendio AB Web: http://www.cendio.com A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) iEYEARECAAYFAk2LFlIACgkQ7b8eESbyJLg5NQCgr6RpvSiaY8MNp8hihnk4mWpD BC4Anj3wm0kNSlo8Shjx0TUIcsL1/VNO =8LzC -----END PGP SIGNATURE-----