[Freeipa-devel] [PATCH] 259 Fix selinux issue with ldapi
Nathan Kinder
nkinder at redhat.com
Thu Sep 10 16:50:56 UTC 2009
On 09/10/2009 08:16 AM, Nathan Kinder wrote:
> On 09/10/2009 07:40 AM, Jenny Galipeau wrote:
>> Simo Sorce wrote:
>>> On Thu, 2009-09-10 at 10:20 -0400, Rob Crittenden wrote:
>>>> Rob Crittenden wrote:
>>>>> The management framework wasn't working with SELinux over ldapi
>>>>> because it lacked permission to access the unix socket. This patch
>>>>> grants permission.
>>>>>
>>>> Probably easier to review with the patch attached.
>>>
>>> The patch was attached :-)
>>>
>>> One question comes to mind though, you are giving access to any socket
>>> labeled initrc_t (if my selinux policy reading skills are good enough,
>>> which may not be).
>>>
>>> Shouldn't we discuss with the DS team to have a more specific label for
>>> this socket ?
>> Nathan is currently working on the DS SELinux policy ...
> There is no SELinux policy for currently released DS versions, so the
> context can not be anything DS specific. I would have guessed that
> the label would be var_run_t since the ldapi socket should be in
> /var/run/dirsrv, which would inherit the label from the parent directory.
I want to correct myself just to avoid confusion. The ldapi socket will
be in /var/run, not /var/run/dirsrv. It was moved a while back to be in
a more standard location. I'm pretty sure that Rob has already
encountered this, but I didn't want to spread any incorrect information.
>
> In the policy that I'm working on, the ldapi socket has a label of
> dirsrv_var_run_t.
>>> Simo.
>>>
>>
>>
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel
More information about the Freeipa-devel
mailing list