file, executable, and policy
by ken
It's nice with selinux that a notification window pops up when a
violation has been detected... and then that it's a simple matter to
click on an icon to pop open a window with much more information. But
lacking in that window is critical information necessary to identify and
then perhaps resolve the issue.
Fundamentally the action of some executable has tried, against policy,
to access some file. So why doesn't this page list:
- the name of the file, including full path, against which access was
attempted;
- the name of the executable, including full path, which tried to access
that file; and
-- text explaining the policy which was violated, or at least a link to it?
I've had selinux installed for some years now (in permissive mode), but
am considering uninstalling it because, lacking this obvious and
critical information, there doesn't seem to be a point to it.
11 years, 5 months
- 4
- 7
Re: Bug 539519: selinux doesn't like httpd trying to read /var/run/pcscd.pid
by mark
Since I posted about a week and a half ago, I haven't seen any response.
This is an example of what I think Dan was asking about.
time->Thu Nov 1 16:00:01 2012
type=SYSCALL msg=audit(1351800001.262:133107): arch=c000003e syscall=2
success=yes exit=18 a0=7ffea2fdde22 a1=0 a2=1b6 a3=0 items=0 ppid=20709
pid=20713 auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48
fsgid=48 tty=(none) ses=5118 comm="httpd" exe="/usr/sbin/httpd"
subj=unconfined_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1351800001.262:133107): avc: denied { open } for
pid=20713 comm="httpd" name="pcscd.pid" dev=sda3 ino=81412261
scontext=unconfined_u:system_r:httpd_t:s0
tcontext=unconfined_u:object_r:pcscd_var_run_t:s0 tclass=file
type=AVC msg=audit(1351800001.262:133107): avc: denied { read } for
pid=20713 comm="httpd" name="pcscd.pid" dev=sda3 ino=81412261
scontext=unconfined_u:system_r:httpd_t:s0
tcontext=unconfined_u:object_r:pcscd_var_run_t:s0 tclass=file
And just to clarify, I believe what's doing this is that the webserver for
svn is checking the user's smart card before allowing them to check files
out.
mark
11 years, 5 months
- 2
- 1
AWStats Update-now link has permissions issues
by Dan Thurman
Did anyone get awstats "Update now" button to work?
For me, awstats does not have permissions to access /tmp
for locking (if enabled) and/or to open /var/log/httpd/access_log
file in attempts to update the awstats data.
I am running selinux, but not certain it is an selinux issue...
11 years, 5 months
- 5
- 19