Re: Policy bug or not: httpd and tetex
by mark
Maciej Lasyk wrote:
> On Thu, Mar 06, 2014 at 01:16:17PM -0500, m.roth(a)5-cent.us wrote:
>> Maciej Lasyk wrote:
>> > On Thu, Mar 06, 2014 at 11:44:27AM -0500, m.roth(a)5-cent.us wrote:
>> >> Maciej Lasyk wrote:
>> >> > On Wed, Mar 05, 2014 at 11:51:42AM -0500, m.roth(a)5-cent.us wrote:
>> >> >> Maciej Lasyk wrote:
>> >> >> > On Wed, Mar 05, 2014 at 10:33:22AM -0500, m.roth(a)5-cent.us
>> wrote:
>> >> >> >> Maciej Lasyk wrote:
>> >> >> >> > On Wed, Mar 05, 2014 at 09:44:17AM -0500, m.roth(a)5-cent.us
>> >> wrote:
>> >> >> >> >>
>> >> >> >> >> I got a denial (we're in permissive mode), which boils down
>> to
>> >> >> >> >> what I expect is some project's CGI (or whatever) using
>> tetex.
>> >> The denial
>> >> >> >> >> was complaining about /usr/bin/pdftex accessing
>> /var/lib/texmf,
>> >> >> >> >> and their fcontexts are all correct. So: is this a policy
>> bug,
>> <snip>
>> > Oh lol my apology; it was to be:
>> >
>> > sesearch -T -s httpd_sys_script_t -t tetex_data_t -c process -C
>> >
>> > Also:
>> >
>> > sesearch -T -s tetex_data_t
>> >
>>
>> Right. Thanks - those didn't sit there contemplating their navel for a
>> while, either. Both returned nothing at all. I also note, via getsebool
>> -a
>> | grep -i tex that there's no tex-related boolean.
>>
>
> Ok so it looks like no policy for this transform. You could yet ask this
> question again on the group to get second confirmation as I can be wrong
> :)
>
Oh, *crap*, I forgot the stupid configuration of the selinux mailing list,
where if I don't reply all, it *only* goes to the poster....
mark
10 years, 1 month
Correct way to use booleans
by Jayson Hurst
Audit2Allow is suggesting that a boolean be turned on.
#!!!! This avc can be allowed using the boolean 'allow_ypbind'
allow vasd_t ldap_port_t:tcp_socket name_bind;
setsebool -P allow_ypbind 1
Should this boolean be enabled via my domains policy, or is this something the system administrator should turn on if they know they will be using NIS?
The same question can be asked for other things like http and samba.
#!!!! This avc can be allowed using one of the these booleans:
# samba_export_all_ro, samba_export_all_rw
allow smbd_t tmp_t:file getattr;
#!!!! This avc can be allowed using one of the these booleans:
# samba_create_home_dirs, samba_export_all_rw
allow smbd_t user_home_dir_t:dir { write create add_name };
setsebool -P samba_export_all_rw 1
10 years, 1 month
selinux process transtion and file soft links
by jiun bookworm
i have a python virtual env with these files:
lrwxrwxrwx. app_u app_g system_u:object_r:appi_exec_t:s0 python -> python3
-rwxr-xr-x. app_u app_g system_u:object_r:appi_exec_t:s0 python3
the first is a link to the second, the first is labelled with
app_exec_t, and this is allowed a transition to app_t.
but it does not work, i have to have the label on the
second file even if the systemd init file points to the first.
is it that selinux does not consider executing through
the softlink to be a valid execution for process transition?
please explain the observation.
10 years, 1 month
Policy bug or not: httpd and tetex
by mark
Hi, folks,
I got a denial (we're in permissive mode), which boils down to what I
expect is some project's CGI (or whatever) using tetex. The denial was
complaining about /usr/bin/pdftex accessing /var/lib/texmf, and their
fcontexts are all correct. So: is this a policy bug, or just normal, and I
need to create the local policy?
mark
10 years, 1 month
user restricted to particular directory
by jiun bookworm
I have an application running as user "app" with a home directory in
/ap/app
i'd like to restrict the application (started as a service so there's no
ssh/console login) to
/ap/app, with access to other binaries in /ap/python and
/opt/support-app and access to a high port on localhost, what would be
the best way to do that?
it does not need read/write access anywhere else only in subdirectories of
/ap/app
10 years, 1 month
restorecon works but fcontext returns back to its default
by Shintaro Fujiwara
Hi.
I'm working with my web server and minor trouble I'm in.
I write a php script which writes to /var/www/html/javascripts directory.
So, I added by semanage command
# semanage fcontext -a -t httpd_sys_rw_content_t
"/var/www/html/javascripts(/.*)?
I checked by
#semanage fcontext -l | grep /var/www/html
Found what I set.
So, I typed
# restorecon -r -v /var/www/html
I checked by semanage fcontext -l command again and found that the
directory has httpd_sys_rw_content_t.
So, I fired up php script to write a file in /var/www/html/javascripts
Alas, audit error, and this time, semanage fcontext -l says
/var/www/html/javascripts has an context httpd_sys_content_t.
I have to restorecon every time I write file to /var/www/html/javascripts
by php script.
Why restorecon works fine at first and next time doesn't work at all?
--
日本にヘヴィメタル・ハードロックを根付かせるページ
http://www.heavymetalhardrock.tk/
世界中でセキュアOSのSELinuxを使いやすくするフリーソフト
http://sourceforge.net/projects/segatex/
CMS(PHPとPostgreSQLを使ったフリーソフト)
http://sourceforge.net/projects/webon/
10 years, 1 month