Re: Newbie Q

On Fri, 2009-03-20 at 20:14 +0000, Aaron Gray wrote: > I am trying to audit2allow on F10 to allow a cgi-bin perl script to run > on > Apache. Runs fine in permissive mode not in enforcing. > > I bought the O'Reilly SE Linux book and learned the basics but it does > not > really seem to help me on Fedora. > > there was no /var/log/kernel so I tried /var/log/secure with the > following > command sequence > > setenforce 0 > > # access the cgi from the web > > setenforce 1 > > audit2allow -l -i /var/log/secure > > What is strange also is the system is not flagging things up as a > notification icon anymore in enforcing mode. > > If someone could guide me or push me in the right direction I would be > most > thankful. auditd logs to /var/log/audit/audit.log To use cgi you must set the boolean httpd_enable_cgi.

Then either label the cgi type httpd_sys_script_exec_t or create a custom domain for your script: mkdir myscript; cd myscript; echo "policy_module(myscript, 0.0.1)" > myscript.te echo "apache_content_template(myscript)" >> myscript.te echo "/var/www/cgi-bin/myscript.pl -- gen_context(system_u:object_r:httpd_myscript_script_exec_t, s0)" > myscript.fc make -f /usr/share/selinux/devel/Makefile semodule -i myscript.pp restorecon -R -v /var/www/cgi-bin/myscript.pl

This is just a base module you will likely need to extend it. you can do so why making the httpd_myscript_script_t permissive and then extend your source policy with any rules required frpm audit.log/audit2why semanage permissive -a httpd_myscript_script_t

ausearch -m avc -ts today | grep httpd_myscript_script_t | audit2allow -R >> myscript.te; make -f /usr/share/selinux/devel/Makefile; semodule -i myscript.pp

semanage permissive -d httpd_myscript_script_t (to remove the permissive domain)