[Freeipa-devel] [PATCH] 259 Fix selinux issue with ldapi
Nathan Kinder
nkinder at redhat.com
Thu Sep 10 15:16:24 UTC 2009
On 09/10/2009 07:40 AM, Jenny Galipeau wrote:
> Simo Sorce wrote:
>> On Thu, 2009-09-10 at 10:20 -0400, Rob Crittenden wrote:
>>> Rob Crittenden wrote:
>>>> The management framework wasn't working with SELinux over ldapi
>>>> because it lacked permission to access the unix socket. This patch
>>>> grants permission.
>>>>
>>> Probably easier to review with the patch attached.
>>
>> The patch was attached :-)
>>
>> One question comes to mind though, you are giving access to any socket
>> labeled initrc_t (if my selinux policy reading skills are good enough,
>> which may not be).
>>
>> Shouldn't we discuss with the DS team to have a more specific label for
>> this socket ?
> Nathan is currently working on the DS SELinux policy ...
There is no SELinux policy for currently released DS versions, so the
context can not be anything DS specific. I would have guessed that the
label would be var_run_t since the ldapi socket should be in
/var/run/dirsrv, which would inherit the label from the parent directory.
In the policy that I'm working on, the ldapi socket has a label of
dirsrv_var_run_t.
>> Simo.
>>
>
>
More information about the Freeipa-devel
mailing list