nis+ and selinux targeted (nscd/ntpd problems)
Niki Waibel
niki.waibel at newlogic.com
Tue Mar 1 15:41:26 UTC 2005
if you run FC3 and nis-utils-1.4.1 it is necessary to
add the following in
/etc/selinux/targeted/src/policy/domains/misc/custom.te
to make nscd running properly:
===
allow nscd_t file_t:file { read write };
#EXE=/usr/sbin/nscd NAME=passwd : read write
allow nscd_t file_t:file getattr;
#EXE=/usr/sbin/nscd PATH=/var/db/nscd/passwd : getattr
#EXE=/usr/sbin/nscd PATH=/var/db/nscd/group : getattr
#EXE=/usr/sbin/nscd PATH=/var/db/nscd/hosts : getattr
allow nscd_t var_t:file { getattr read };
#EXE=/usr/sbin/nscd NAME=NIS_COLD_START : read
#EXE=/usr/sbin/nscd PATH=/var/nis/NIS_COLD_START : getattr
allow nscd_t var_run_t:sock_file write;
#EXE=/usr/sbin/nscd NAME=keyservsock : write
allow nscd_t unconfined_t:unix_stream_socket connectto;
#EXE=/usr/sbin/nscd PATH=/var/run/keyservsock : connectto
===
i dont know if
===
allow nscd_t file_t:file { read write };
allow nscd_t file_t:file getattr;
allow nscd_t var_t:file { getattr read };
===
are really a good choice ...
nscd (if you have nisplus in /etc/nsswitch.conf) accesses
the files in /var/db/nscd (getattr, read, write) and /var/nis.
maybe there should be sthg like var_nis_t and var_db_nscd_t?
i am not sure if /etc/{passwd,group,hosts} are accessed as well...
using nis+ i've also figured out that ntpd needs some add rules:
===
allow ntpd_t var_t:file { getattr read };
#EXE=/usr/sbin/ntpd NAME=NIS_COLD_START : read
#EXE=/usr/sbin/ntpd PATH=/var/nis/NIS_COLD_START : getattr
allow ntpd_t var_run_t:sock_file write;
#EXE=/usr/sbin/ntpd NAME=keyservsock : write
allow ntpd_t unconfined_t:unix_stream_socket connectto;
#EXE=/usr/sbin/ntpd PATH=/var/run/keyservsock : connectto
===
can this be integrated into the std targeted policy?
--
niki w. waibel - system administrator @ newlogic technologies ag
More information about the fedora-selinux-list
mailing list