Erinn Looney-Triggs wrote:
My second question is, I have this policy working on one machine,
moved
it to another machine and everything worked, this application was then
deployed on a third machine and I figured, I would just insert the
module again. Well installing the module worked fine but apache is
trying to use a different type on this machine, from audit2allow:
#============= httpd_sys_script_t ==============
allow httpd_sys_script_t devpts_t:chr_file { read write };
allow httpd_sys_script_t httpd_tmp_t:fifo_file setattr;
allow httpd_sys_script_t self:capability { setuid setgid };
Why all the sudden is this machine using httpd_sys_script_t instead of
httpd_t which my other systems use? All the boxes are RHEL 5.5 x64
fully
patched running selinux-policy-2.4.6-279.el5. Now it is possible that
the myruby.pp module mentioned above is working just fine, but why then
would this one system need these extra privileges? Exact same codebase
for the ruby application across the systems. Any insight would be
appreciated.
Did you get anywhere with this?
Things to check:
Booleans
Types on httpd, ApplicationPoolServerExecutable and other scripts
Other loaded policy modules
Running in httpd_sys_script_t seems more usual than running in httpd_t -
although I'm about to submit an alternative policy module that creates
its own type for the Rails app.
Moray.
"To err is human. To purr, feline"