one-script policy
Dominick Grift
dominick.grift at gmail.com
Tue Nov 12 22:45:50 UTC 2013
On Tue, 2013-11-12 at 17:31 -0500, m.roth at 5-cent.us wrote:
> Ok, gents,
>
> I see it that creating the type worked, and I see
> dbus: avc: received policyload notice (seqno=988)
> after I applied the new type... but then I'm still seeing selinux avcs (it
> is in permissive mode), such as
> setroubleshoot: SELinux is preventing /usr/bin/sudo from search access on
> the directory /proc/<pid>/stat.
> and
> setroubleshoot: SELinux is preventing /usr/bin/sudo from open access on
> the file /var/log/sudo.log.
>
yes selinux still prevent access to sudo. the point is that now the
script should run in the httpd_myapp_script_t domain instead of the
httpd_sys_script_t domain.
Now you can use audit2allow to extend the httpd_myapp_script_t domain
This enables you to leave the httpd_sys_script_t domain untouched
That was the initial goal
> Does apache have to be restarted for it to realize that the selinux file
> context has changed?
>
have a look. the new avc denials should be about httpd_myapp_script_t,
and not httpd_sys_script_t
generally you do not need to restart apache
> mark
>
More information about the selinux
mailing list