Research Menu

SELinux Mailing List

Re: logwatch tries to look at avahi, avahi needs to use winbind

From: Daniel J Walsh <dwalsh_at_redhat.com>
Date: Wed, 02 May 2007 16:25:46 -0400

Christopher J. PeBenito wrote:

> On Fri, 2007-04-20 at 14:54 -0400, dwalsh@redhat.com wrote:
>   
>> --- nsaserefpolicy/policy/modules/admin/logwatch.te	2007-04-10 12:52:58.000000000 -0400
>> +++ serefpolicy-2.5.12/policy/modules/admin/logwatch.te	2007-04-11 17:07:34.000000000 -0400
>> @@ -95,6 +95,10 @@
>>  ')
>>  
>>  optional_policy(`


>> +	avahi_dontaudit_search_pid(logwatch_t)

>> +')
>> +
>> +optional_policy(`
>>  	bind_read_config(logwatch_t)
>>  	bind_read_zone(logwatch_t)
>>  ')
>> --- nsaserefpolicy/policy/modules/services/avahi.if	2007-01-02 12:57:43.000000000 -0500
>> +++ serefpolicy-2.5.12/policy/modules/services/avahi.if	2007-04-11 17:07:34.000000000 -0400
>> @@ -39,3 +39,22 @@
>>  	files_search_pids($1)
>>  	stream_connect_pattern($1,avahi_var_run_t,avahi_var_run_t,avahi_t)
>>  ')
>> +
>> +########################################
>> +## <summary>
>> +##	Do not audit attempts to search the AVAHI pid directory.
>> +## </summary>
>> +## <param name="domain">
>> +##	<summary>
>> +##	Domain allowed access.
>> +##	</summary>
>> +## </param>
>> +#
>> +interface(`avahi_dontaudit_search_pid',`


>> +	gen_require(`

>> +		type avahi_var_run_t;

>> +	')

>> +


>> +	dontaudit $1 avahi_var_run_t:dir search_dir_perms;

>> +')
>> +
>> --- nsaserefpolicy/policy/modules/services/avahi.te	2007-03-20 23:38:05.000000000 -0400
>> +++ serefpolicy-2.5.12/policy/modules/services/avahi.te	2007-04-18 16:04:51.000000000 -0400
>> @@ -105,3 +105,7 @@
>>  optional_policy(`
>>  	udev_read_db(avahi_t)
>>  ')
>> +
>> +optional_policy(`


>> +	samba_stream_connect_winbind(avahi_t)

>> +')
>>     
>
> Merged except for this last part.  I can't find any reference in the
> avahi code or wiki for it connecting to windbind.
>
>   


Right, turns out avahi uses nsswitch, and this is causing the avc.  
Attached patch to switch to using nsswitch.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.



text/x-patch attachment: avahi.patch

Received on Wed 2 May 2007 - 16:25:50 EDT

This message: [ Message body ]
Next message: Eric Paris: "Re: [RFC] Ability to allow unknown class and permissions -v4"
Previous message: Dave Quigley: "rename_dir_perms missing"
In reply to: Christopher J. PeBenito: "Re: logwatch tries to look at avahi, avahi needs to use winbind"
Next in thread: Christopher J. PeBenito: "Re: logwatch tries to look at avahi, avahi needs to use winbind"
Reply: Christopher J. PeBenito: "Re: logwatch tries to look at avahi, avahi needs to use winbind"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Date Posted: Jan 15, 2009 | Last Modified: Jan 15, 2009 | Last Reviewed: Jan 15, 2009

Top NSA Banner

Top Navigation Menus

Research Menu

SELinux Mailing List

Re: logwatch tries to look at avahi, avahi needs to use winbind