SELinux and gitosis (FC11)
Daniel J Walsh
dwalsh at redhat.com
Tue Jul 7 14:28:22 UTC 2009
On 07/07/2009 09:07 AM, Jonathan Stott wrote:
> 2009/7/7 Daniel J Walsh<dwalsh at redhat.com>:
>> So you intended on using the guest_t user? What does the te file created by
>> audit2allow look like?
>>
>> I think the problem here is the guest_t user is running at s0 and trying to
>> write to a fifo_file at s0-s0:c0.c1023
>>
>> If you take the above audit messages and run them through audit2why, what
>> does the tool say?
>>
>
> It says the errors were caused by:
> Was caused by:
> Policy constraint violation.
>
> May require adding a type attribute to the domain or type to satisfy
> the constraint.
>
> Constraints are defined in the policy sources in policy/constraints
> (general), policy/mcs (MCS), and policy/mls (MLS).
>
> And when I run them through audit2why gives me
>
> #============= guest_t ==============
> allow guest_t sshd_t:fifo_file write;
>
> Which looks vaguely sane to my untrained eye.
>
> I'm not particularly wedded to the guest user in specific, but I would
> prefer it to have a minimal privilege user, since it has no need to do
> anything but manage the git repositories in the home directory.
>
> Regards
> Jon
Ok I think the easiest thing for you to do now is change the range of
the login user.
# semanage user -m -r s0-s0:c0.c1023 guest_u
# semanage login -m -r s0-s0:c0.c1023 __default__
(If you use a user other then __default__ you would need to change this
also.)
I will send a patch to F11 to allow communications to fifo_files running
at different levels.
More information about the fedora-selinux-list
mailing list