On 06/28/2010 04:08 AM, Vadym Chepkov wrote:
Hi,
I configured svnsync to be triggered from a subversion hook, to maintain remote
replicas.
I had my own type for hooks defined, so audit2allow shows it.
This is what it suggests:
require {
type httpd_svn_script_t;
class netlink_route_socket { write getattr read bind create nlmsg_read };
}
#============= httpd_svn_script_t ==============
allow httpd_svn_script_t self:netlink_route_socket { write getattr read bind create
nlmsg_read };
kernel_read_kernel_sysctls(httpd_svn_script_t)
I am kind of concerned about kernel bits, why would svnsync need it, I have no clue.
Also I can see a boolean httpd_can_network_relay, which is set to off by default and is
not documented in man httpd_selinux.
Could it be related somehow?
That boolean seems to not be related:
$ sesearch -SC --allow -s httpd_t | grep httpd_can_network_relay | less
DT allow httpd_t gopher_port_t : tcp_socket name_connect ; [
httpd_can_network_relay ]
DT allow httpd_t memcache_client_packet_t : packet { send recv } ; [
httpd_can_network_relay ]
DT allow httpd_t http_cache_client_packet_t : packet { send recv } ; [
httpd_can_network_relay ]
DT allow httpd_t ftp_port_t : tcp_socket name_connect ; [
httpd_can_network_relay ]
DT allow httpd_t ftp_client_packet_t : packet { send recv } ; [
httpd_can_network_relay ]
DT allow httpd_t http_client_packet_t : packet { send recv } ; [
httpd_can_network_relay ]
DT allow httpd_t http_cache_port_t : tcp_socket name_connect ; [
httpd_can_network_relay ]
DT allow httpd_t http_port_t : tcp_socket name_connect ; [
httpd_can_network_relay ]
DT allow httpd_t gopher_client_packet_t : packet { send recv } ; [
httpd_can_network_relay ]
DT allow httpd_t memcache_port_t : tcp_socket name_connect ; [
httpd_can_network_relay ]
Although i am currently not using fedoras' httpd policy, so yours may
differ.
I couldnt find tthe svn module on short notice either so i am not able
to verify either.
so with the information i do have, httpd domains currently arent able to
create_netlink_sockets.
Try to figure out why your web app needs it, and if legit use
audit2allow to permit it.
Thanks,
Vadym Chepkov
--
selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux