SELinux and gitosis (FC11)
Miroslav Grepl
mgrepl at redhat.com
Mon Jul 13 07:42:05 UTC 2009
On 07/07/2009 04:28 PM, Daniel J Walsh wrote:
> On 07/07/2009 09:07 AM, Jonathan Stott wrote:
>> 2009/7/7 Daniel J Walsh<dwalsh at redhat.com>:
>>> So you intended on using the guest_t user? What does the te file
>>> created by
>>> audit2allow look like?
>>>
>>> I think the problem here is the guest_t user is running at s0 and
>>> trying to
>>> write to a fifo_file at s0-s0:c0.c1023
>>>
>>> If you take the above audit messages and run them through audit2why,
>>> what
>>> does the tool say?
>>>
>>
>> It says the errors were caused by:
>> Was caused by:
>> Policy constraint violation.
>>
>> May require adding a type attribute to the domain or type to
>> satisfy
>> the constraint.
>>
>> Constraints are defined in the policy sources in
>> policy/constraints
>> (general), policy/mcs (MCS), and policy/mls (MLS).
>>
>> And when I run them through audit2why gives me
>>
>> #============= guest_t ==============
>> allow guest_t sshd_t:fifo_file write;
>>
>> Which looks vaguely sane to my untrained eye.
>>
>> I'm not particularly wedded to the guest user in specific, but I would
>> prefer it to have a minimal privilege user, since it has no need to do
>> anything but manage the git repositories in the home directory.
>>
>> Regards
>> Jon
>
> Ok I think the easiest thing for you to do now is change the range of
> the login user.
>
> # semanage user -m -r s0-s0:c0.c1023 guest_u
> # semanage login -m -r s0-s0:c0.c1023 __default__
>
> (If you use a user other then __default__ you would need to change
> this also.)
>
> I will send a patch to F11 to allow communications to fifo_files
> running at different levels.
>
The patch has been added to selinux-policy-3.6.12-65.fc11
Regards
Miroslav
>
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
More information about the fedora-selinux-list
mailing list