Setting Squid free in the shell
by Roger Grosswiler
Hi,
need a quick help, try to get squid running, but get the read avc denied.
If i want to give free squid in selinux, i have to set those, isn't it?
setsebool -P squid_disable_trans active
and then i have to fixfiles relabel
??
Thanks for your help.
Roger
18 years, 11 months
- 1
- 0
Unable to create files when using "context" option for NFS
by Robert Bottomley
In FC3 (running kernel 2.6.11-1.27_FC3smp and
selinux-policy-targeted-1.17.30-2.96), I am mounting an NFS filesystem for use
by Apache. In /etc/fstab, I have:
ozone:/usr/local/svn /svn nfs
rw,context=system_u:object_r:httpd_sys_script_rw_t,intr,bg,hard,rsize=8192,wsize=8192
0 0
Any attempts to create a file in /svn are met with (here I was attempting a
"touch x"):
audit(1117233333.027:0): avc: denied { associate } for pid=12795
exe=/bin/touch name=x scontext=root:object_r:httpd_sys_script_rw_t
tcontext=system_u:object_r:httpd_sys_script_rw_t tclass=filesystem
It does not matter what context I specify, I cannot create a file -- even
though my shell is running as unconfined_t. (If a file already exists, I can
edit it.)
So the questions are:
1. Is this a bug? Should I not be able to create a file when running in the
unconfined_t context?
2. Audit2allow tells me that I need to add:
allow httpd_sys_script_rw_t self:filesystem associate;
but if unconfined_t context cannot write, then will something in
httpd_sys_script_rw_t be able to?
sestatus
========
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 18
Policy from config file:targeted
Policy booleans:
allow_ypbind active
dhcpd_disable_trans inactive
httpd_disable_trans inactive
httpd_enable_cgi active
httpd_enable_homedirs active
httpd_ssi_exec active
httpd_tty_comm inactive
httpd_unified inactive
mysqld_disable_trans inactive
named_disable_trans inactive
named_write_master_zonesinactive
nscd_disable_trans inactive
ntpd_disable_trans inactive
portmap_disable_trans inactive
postgresql_disable_transinactive
snmpd_disable_trans inactive
squid_disable_trans inactive
syslogd_disable_trans inactive
use_nfs_home_dirs inactive
use_samba_home_dirs inactive
use_syslogng inactive
winbind_disable_trans inactive
ypbind_disable_trans inactive
--
Robert Bottomley | E-mail: bob(a)cert.ucr.edu
System Administrator | Tel: 951-781-5788
College of Engineering | It is dangerous to be right
Center for Environmental | CE-CERT when the government is wrong.
Research and Technology | UC Riverside --Voltaire
18 years, 11 months
- 1
- 0
HELP: transition denied regardless of policy?
by Aleksander Adamowski
Hi!
I'm having a problem with FC3 strict policy. Basically, I've customised
the policy to cover all that I need on that system, but there's one last
denial that I'm unable to remedy:
May 26 03:26:01 machinename kernel: audit(1117070761.996:0): avc:
denied { transition } for pid=11773 exe=/bin/bash
path=/home/twiki/bin/mailnotify dev=hda1 ino=51463
scontext=root:sysadm_r:sysadm_crond_t tcontext=root:system_r:twiki_t
tclass=process
(where /home/twiki/bin/mailnotify has a context of
system_u:object_r:twiki_exec_t.)
This is directly related to my twiki.te policy:
#BEGIN
daemon_domain(twiki)
var_lib_domain(twiki)
domain_auto_trans(httpd_t, twiki_exec_t, twiki_t)
# daemon_domain(twiki) gets this done anyway:
#role_transition sysadm_r twiki_exec_t system_r;
domain_auto_trans(sysadm_crond_t, twiki_exec_t, twiki_t)
# domain_auto_tras should do it, but duplicating it doesn't hurt:
role sysadm_r types twiki_t;
allow sysadm_crond_t twiki_t:process transition;
# exe=/usr/bin/perl path=/etc/ld.so.cache :
allow twiki_t etc_t:file { getattr read };
allow httpd_t twiki_exec_t:dir { getattr search };
allow httpd_t twiki_exec_t:file ioctl;
allow httpd_t twiki_var_lib_t:dir { getattr read search };
allow httpd_t twiki_var_lib_t:file { append getattr ioctl read };
allow twiki_t bin_t:dir { search };
allow twiki_t bin_t:file { getattr };
allow twiki_t crond_t:fifo_file { ioctl read write };
allow twiki_t home_root_t:dir { search };
allow twiki_t twiki_exec_t:dir { search };
allow twiki_t urandom_device_t:chr_file { read };
allow twiki_t unlabeled_t:dir { getattr read search };
allow httpd_sys_script_t httpd_runtime_t:file write;
allow httpd_sys_script_t httpd_t:tcp_socket ioctl;
allow httpd_sys_script_t twiki_var_lib_t:dir { add_name remove_name
search write };
allow httpd_sys_script_t twiki_var_lib_t:file { create getattr read
unlink };
allow httpd_t twiki_var_lib_t:dir { add_name remove_name write };
allow httpd_t twiki_var_lib_t:file { create rename setattr unlink write };
#END
The problem is, although the
domain_auto_trans(sysadm_crond_t, twiki_exec_t, twiki_t)
...allows for:
allow sysadm_crond_t twiki_t:process transition;
And I've even allowed that process transition (allow sysadm_crond_t
twiki_t:process transition;) explicitly a few rows later (actually
audit2allow has given me this).
But the transition to root:system_r:twiki_t is still denied.
Am I missing something?
--
Best Regards,
Aleksander Adamowski
GG#: 274614
ICQ UIN: 19780575
http://olo.ab.altkom.pl
18 years, 11 months
- 3
- 5