From: dwalsh@redhat.com (Daniel J Walsh)
Date: Thu, 24 Mar 2011 14:06:34 -0400
Subject: [refpolicy] help getting our application ThinLinc working with
 the reference policy
In-Reply-To: <20110324110048.53087a1c@ossman.lkpg.cendio.se>
References: <20110323163515.4af59493@ossman.lkpg.cendio.se>	<4D8A389F.5060307@redhat.com>
	<20110324110048.53087a1c@ossman.lkpg.cendio.se>
Message-ID: <4D8B882A.7090806@redhat.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 03/24/2011 06:00 AM, Pierre Ossman wrote:
> On Wed, 23 Mar 2011 14:14:55 -0400
> Daniel J Walsh <dwalsh@redhat.com> wrote:
> 
> 
>> One idea would be to label your instance that is creating users as
>> login_exec_t  or sshd_exec_t
> 
> 
> sshd_t seemed a bit too blatantly wrong, but login_t might be an
> acceptable temporary fix. It does seem to have the privileges needed.
> 
> I do hit another error on Fedora 14:
> 
> type=AVC msg=audit(1300960436.289:102497): avc:  denied  { write } for  pid=9695 comm="xauth" name="3" dev=dm-0 ino=2366192 scontext=unconfined_u:unconfined_r:xauth_t:s0 tcontext=unconfined_u:object_r:var_t:s0 tclass=dir
> 
> I don't see this AVC on el6 and I can't recall seeing it on older
> Fedoras, so this is a recent restriction. The directory it tries to
> write to is /var/opt/thinlinc/sessions/<user>/<display>/, hence the
> var_t.
> 
> Is this a Red Hat modification or part of refpolicy? If the former,
> could the restriction be relaxed? :)
> 
>> Best case would be to write some policy to allow the access, based off
>> one of these domains.
> 
> Indeed. I'd like to have a proper policy for all the privileged
> processes, but time is unfortunately a restricting factor. I'll make an
> attempt at sorting out a basic module for this session starting
> process, but login_t will have to be plan B.
> 
> Rgds

You probably want to label /var/opt/thinlinc/sessions/ as
user_home_dir_t or home_root_t
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk2LiCoACgkQrlYvE4MpobMqwQCglLJXbUbNG7ALiDVVSjq88XKi
PZ8AnAuF/yKpaeQ27hxub57PfxA/2qgs
=kO78
-----END PGP SIGNATURE-----