F18, selinux & sensors
Daniel J Walsh
dwalsh at redhat.com
Fri Apr 12 15:46:57 UTC 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 04/12/2013 09:41 AM, Cristian Sava wrote:
> Hi all,
>
> I want to monitor hardware temperatures using sensors. sensors is working
> ok lunched in a terminal but i want to display the output on the web. So i
> have this simple php:
>
> <?php echo exec('/var/www/cgi-bin/my_sensors.sh'); ?>
>
> and my_sensors.sh in cgi-bin:
>
> #!/usr/bin/bash /usr/bin/sensors exit
>
> Why the problem showed in /var/log/messages (and blank web page)? sensors
> is supposed to run ok, is it? my_sensors lunch sensors = OK sensors try
> i2c-adapter = deny Do i miss something?
>
> setroubleshoot: SELinux is preventing /usr/bin/sensors from read access on
> the directory i2c-adapter. For complete SELinux messages. run sealert -l
> 94ef69e6-5109-4c22-b464-ef220948dd6a
>
> [root at s194 cgi-bin]# sealert -l 94ef69e6-5109-4c22-b464-ef220948dd6a
> SELinux is preventing /usr/bin/sensors from read access on the directory
> i2c-adapter.
>
> ***** Plugin catchall (100. confidence) suggests
> ***************************
>
> If you believe that sensors should be allowed read access on the
> i2c-adapter directory by default. Then you should report this as a bug. You
> can generate a local policy module to allow this access. Do allow this
> access for now by executing: # grep sensors /var/log/audit/audit.log |
> audit2allow -M mypol # semodule -i mypol.pp
>
>
> Additional Information: Source Context
> system_u:system_r:httpd_sys_script_t:s0 Target Context
> system_u:object_r:sysfs_t:s0 Target Objects i2c-adapter [
> dir ] Source sensors Source Path
> /usr/bin/sensors Port <Unknown> Host
> s194.central.ucv.ro Source RPM Packages
> lm_sensors-3.3.2-5.fc18.x86_64 Target RPM Packages Policy RPM
> selinux-policy-3.11.1-87.fc18.noarch Selinux Enabled True
> Policy Type targeted Enforcing Mode
> Enforcing Host Name s194.central.ucv.ro Platform
> Linux s194.central.ucv.ro 3.8.6-203.fc18.x86_64 #1 SMP Tue Apr 9 19:33:01
> UTC 2013 x86_64 x86_64 Alert Count 2 First Seen
> 2013-04-12 15:59:12 EEST Last Seen 2013-04-12 15:59:13
> EEST Local ID 94ef69e6-5109-4c22-b464-ef220948dd6a
>
> Raw Audit Messages type=AVC msg=audit(1365771553.642:434): avc: denied {
> read } for pid=5314 comm="sensors" name="i2c-adapter" dev="sysfs"
> ino=15234 scontext=system_u:system_r:httpd_sys_script_t:s0
> tcontext=system_u:object_r:sysfs_t:s0 tclass=dir
>
>
> type=SYSCALL msg=audit(1365771553.642:434): arch=x86_64 syscall=openat
> success=no exit=EACCES a0=ffffffffffffff9c a1=7fff2e427650 a2=90800 a3=0
> items=0 ppid=5313 pid=5314 auid=4294967295 uid=48 gid=48 euid=48 suid=48
> fsuid=48 egid=48 sgid=48 fsgid=48 ses=4294967295 tty=(none) comm=sensors
> exe=/usr/bin/sensors subj=system_u:system_r:httpd_sys_script_t:s0
> key=(null)
>
> Hash: sensors,httpd_sys_script_t,sysfs_t,dir,read
>
> audit2allow
>
> #============= httpd_sys_script_t ============== allow httpd_sys_script_t
> sysfs_t:dir read;
>
> audit2allow -R require { type httpd_sys_script_t; }
>
> #============= httpd_sys_script_t ==============
> dev_list_sysfs(httpd_sys_script_t)
>
>
> [root at s194 cgi-bin]#
>
> C. Sava
>
>
Well I guess you have two choices, either allow this access to apache cgi
scripts, using audit2allow -M mysensors
Or you could generate new policy for your script to run under its own context.
You might want to first make the httpd_sys_script_t permissive to see all of
the AVC's that are generated
semanage permissive -a httpd_sys_script_t
Your test should probably succeed now, and use
audit2allow -m avc -ts recent
To see all the avcs
audit2allow -m avc -ts recent | audit2allow -m mysensors
Would generate a policy module to allow this access.
Or you could write policy for your cgi script using
sepolicy generate --cgi PATHTOCGI
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlFoLHEACgkQrlYvE4MpobMFggCg2a7K3I6e/ha8TJ/pMRfSTKQI
Gf0AmgOed44HZBk13KHWk3Up4Z0DsXU4
=TcKy
-----END PGP SIGNATURE-----
More information about the users
mailing list