Setting Squid free in the shell
by Roger Grosswiler
Hi,
need a quick help, try to get squid running, but get the read avc denied.
If i want to give free squid in selinux, i have to set those, isn't it?
setsebool -P squid_disable_trans active
and then i have to fixfiles relabel
??
Thanks for your help.
Roger
18 years, 11 months
Unable to create files when using "context" option for NFS
by Robert Bottomley
In FC3 (running kernel 2.6.11-1.27_FC3smp and
selinux-policy-targeted-1.17.30-2.96), I am mounting an NFS filesystem for use
by Apache. In /etc/fstab, I have:
ozone:/usr/local/svn /svn nfs
rw,context=system_u:object_r:httpd_sys_script_rw_t,intr,bg,hard,rsize=8192,wsize=8192
0 0
Any attempts to create a file in /svn are met with (here I was attempting a
"touch x"):
audit(1117233333.027:0): avc: denied { associate } for pid=12795
exe=/bin/touch name=x scontext=root:object_r:httpd_sys_script_rw_t
tcontext=system_u:object_r:httpd_sys_script_rw_t tclass=filesystem
It does not matter what context I specify, I cannot create a file -- even
though my shell is running as unconfined_t. (If a file already exists, I can
edit it.)
So the questions are:
1. Is this a bug? Should I not be able to create a file when running in the
unconfined_t context?
2. Audit2allow tells me that I need to add:
allow httpd_sys_script_rw_t self:filesystem associate;
but if unconfined_t context cannot write, then will something in
httpd_sys_script_rw_t be able to?
sestatus
========
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 18
Policy from config file:targeted
Policy booleans:
allow_ypbind active
dhcpd_disable_trans inactive
httpd_disable_trans inactive
httpd_enable_cgi active
httpd_enable_homedirs active
httpd_ssi_exec active
httpd_tty_comm inactive
httpd_unified inactive
mysqld_disable_trans inactive
named_disable_trans inactive
named_write_master_zonesinactive
nscd_disable_trans inactive
ntpd_disable_trans inactive
portmap_disable_trans inactive
postgresql_disable_transinactive
snmpd_disable_trans inactive
squid_disable_trans inactive
syslogd_disable_trans inactive
use_nfs_home_dirs inactive
use_samba_home_dirs inactive
use_syslogng inactive
winbind_disable_trans inactive
ypbind_disable_trans inactive
--
Robert Bottomley | E-mail: bob(a)cert.ucr.edu
System Administrator | Tel: 951-781-5788
College of Engineering | It is dangerous to be right
Center for Environmental | CE-CERT when the government is wrong.
Research and Technology | UC Riverside --Voltaire
18 years, 11 months
HELP: transition denied regardless of policy?
by Aleksander Adamowski
Hi!
I'm having a problem with FC3 strict policy. Basically, I've customised
the policy to cover all that I need on that system, but there's one last
denial that I'm unable to remedy:
May 26 03:26:01 machinename kernel: audit(1117070761.996:0): avc:
denied { transition } for pid=11773 exe=/bin/bash
path=/home/twiki/bin/mailnotify dev=hda1 ino=51463
scontext=root:sysadm_r:sysadm_crond_t tcontext=root:system_r:twiki_t
tclass=process
(where /home/twiki/bin/mailnotify has a context of
system_u:object_r:twiki_exec_t.)
This is directly related to my twiki.te policy:
#BEGIN
daemon_domain(twiki)
var_lib_domain(twiki)
domain_auto_trans(httpd_t, twiki_exec_t, twiki_t)
# daemon_domain(twiki) gets this done anyway:
#role_transition sysadm_r twiki_exec_t system_r;
domain_auto_trans(sysadm_crond_t, twiki_exec_t, twiki_t)
# domain_auto_tras should do it, but duplicating it doesn't hurt:
role sysadm_r types twiki_t;
allow sysadm_crond_t twiki_t:process transition;
# exe=/usr/bin/perl path=/etc/ld.so.cache :
allow twiki_t etc_t:file { getattr read };
allow httpd_t twiki_exec_t:dir { getattr search };
allow httpd_t twiki_exec_t:file ioctl;
allow httpd_t twiki_var_lib_t:dir { getattr read search };
allow httpd_t twiki_var_lib_t:file { append getattr ioctl read };
allow twiki_t bin_t:dir { search };
allow twiki_t bin_t:file { getattr };
allow twiki_t crond_t:fifo_file { ioctl read write };
allow twiki_t home_root_t:dir { search };
allow twiki_t twiki_exec_t:dir { search };
allow twiki_t urandom_device_t:chr_file { read };
allow twiki_t unlabeled_t:dir { getattr read search };
allow httpd_sys_script_t httpd_runtime_t:file write;
allow httpd_sys_script_t httpd_t:tcp_socket ioctl;
allow httpd_sys_script_t twiki_var_lib_t:dir { add_name remove_name
search write };
allow httpd_sys_script_t twiki_var_lib_t:file { create getattr read
unlink };
allow httpd_t twiki_var_lib_t:dir { add_name remove_name write };
allow httpd_t twiki_var_lib_t:file { create rename setattr unlink write };
#END
The problem is, although the
domain_auto_trans(sysadm_crond_t, twiki_exec_t, twiki_t)
...allows for:
allow sysadm_crond_t twiki_t:process transition;
And I've even allowed that process transition (allow sysadm_crond_t
twiki_t:process transition;) explicitly a few rows later (actually
audit2allow has given me this).
But the transition to root:system_r:twiki_t is still denied.
Am I missing something?
--
Best Regards,
Aleksander Adamowski
GG#: 274614
ICQ UIN: 19780575
http://olo.ab.altkom.pl
18 years, 11 months