[Freeipa-devel] [PATCH] 259 Fix selinux issue with ldapi
Simo Sorce
ssorce at redhat.com
Thu Sep 10 16:03:30 UTC 2009
On Thu, 2009-09-10 at 08:16 -0700, Nathan Kinder wrote:
> On 09/10/2009 07:40 AM, Jenny Galipeau wrote:
> > Simo Sorce wrote:
> >> On Thu, 2009-09-10 at 10:20 -0400, Rob Crittenden wrote:
> >>> Rob Crittenden wrote:
> >>>> The management framework wasn't working with SELinux over ldapi
> >>>> because it lacked permission to access the unix socket. This patch
> >>>> grants permission.
> >>>>
> >>> Probably easier to review with the patch attached.
> >>
> >> The patch was attached :-)
> >>
> >> One question comes to mind though, you are giving access to any socket
> >> labeled initrc_t (if my selinux policy reading skills are good enough,
> >> which may not be).
> >>
> >> Shouldn't we discuss with the DS team to have a more specific label for
> >> this socket ?
> > Nathan is currently working on the DS SELinux policy ...
> There is no SELinux policy for currently released DS versions, so the
> context can not be anything DS specific. I would have guessed that the
> label would be var_run_t since the ldapi socket should be in
> /var/run/dirsrv, which would inherit the label from the parent directory.
>
> In the policy that I'm working on, the ldapi socket has a label of
> dirsrv_var_run_t.
Thanks, this is what I was looking for.
We will deal with distributing an updated selinux policy once the DS
policy is ready and shipped.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list