Hi,
I can't figure out why do I get denies in my Redhat installation.
This is what I have:
selinux-policy-targeted-2.4.6-203.el5
httpd_enable_cgi --> on httpd_unified --> off
system_u:object_r:httpd_sys_content_t:s0 /var/www/awstats system_u:object_r:httpd_sys_script_exec_t:s0 /var/www/awstats/awstats.pl system_u:object_r:httpd_sys_content_t:s0 /var/www/awstats/awstats022009.txt
And this is what I get:
type=AVC msg=audit(1234014919.167:40376): avc: denied { read } for pid=32656 comm="awstats.pl" name="awstats" dev=sda1 ino=704533 scontext=user_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=dir
type=AVC msg=audit(1234014919.167:40377): avc: denied { getattr } for pid=32656 comm="awstats.pl" path="/var/www/awstats/awstats022009.txt" dev=sda1 ino=706623 scontext=user_u:system_r:httpd_sys_script_t:s0 tcontext=user_u:object_r:httpd_sys_content_t:s0 tclass=file
The question is, why? Thank you.
Sincerely yours, Vadym Chepkov
On Sat, 2009-02-07 at 06:21 -0800, Vadym Chepkov wrote:
The question is, why? Thank you.
hi, pipe the avc denials in to the input stream of audit2why:
sh-4.0# echo "avc: denied { read } for pid=32656 comm="awstats.pl" name="awstats" dev=sda1 ino=704533 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=dir" | audit2why avc: denied { read } for pid=32656 comm=awstats.pl name=awstats dev=sda1 ino=704533 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=dir
Was caused by: Unknown - would be allowed by active policy Possible mismatch between this policy and the one under which the audit message was generated.
Possible mismatch between current in-memory boolean settings vs. permanent ones.
also see sesearch:
sh-4.0# sesearch --allow -s httpd_sys_script_t -t httpd_sys_content_t -c dir -p read Found 2 semantic av rules: allow httpd_sys_script_t httpd_sys_content_t : dir { ioctl read getattr lock search open } ; allow httpd_sys_script_t httpd_sys_content_t : dir { ioctl read write getattr lock add_name remove_name search open } ;
this may or my not be a bug in policy.
hth , Dominick
Sincerely yours, Vadym Chepkov
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
audit2why says: type=AVC msg=audit(1234014919.167:40376): avc: denied { read } for pid=32656 comm="awstats.pl" name="awstats" dev=sda1 ino=704533 scontext=user_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=dir Was caused by: Missing or disabled TE allow rule. Allow rules may exist but be disabled by boolean settings; check boolean settings. You can see the necessary allow rules by running audit2allow with this audit message as input.
type=AVC msg=audit(1234014919.167:40377): avc: denied { getattr } for pid=32656 comm="awstats.pl" path="/var/www/awstats/awstats022009.txt" dev=sda1 ino=706623 scontext=user_u:system_r:httpd_sys_script_t:s0 tcontext=user_u:object_r:httpd_sys_content_t:s0 tclass=file Was caused by: Missing or disabled TE allow rule. Allow rules may exist but be disabled by boolean settings; check boolean settings. You can see the necessary allow rules by running audit2allow with this audit message as input.
audit2allow suggests: #============= httpd_sys_script_t ============== allow httpd_sys_script_t httpd_sys_content_t:dir read; allow httpd_sys_script_t httpd_sys_content_t:file { read ioctl getattr };
Sincerely yours, Vadym Chepkov
On Sat, 2009-02-07 at 07:27 -0800, Vadym Chepkov wrote:
audit2allow suggests: #============= httpd_sys_script_t ============== allow httpd_sys_script_t httpd_sys_content_t:dir read; allow httpd_sys_script_t httpd_sys_content_t:file { read ioctl getattr };
did sesearch return anything?
Sincerely yours, Vadym Chepkov
sorry, missed that part
# sesearch --allow -s httpd_sys_script_t -t httpd_sys_content_t -c dir -p read
No, sasearch didn't find anything, that's the problem. Why?
Sincerely yours, Vadym Chepkov
well, I suppose it's a feature
I did more sasearch and looked what is allowed:
allow httpd_sys_script_t httpd_sys_script_ra_t : dir { ioctl read write getattr lock add_name search }; allow httpd_sys_script_t httpd_sys_script_ro_t : dir { read getattr search }; allow httpd_sys_script_t httpd_sys_script_rw_t : dir { ioctl read write create getattr setattr lock unlink link rename add_name remove_name reparent search rmdir };
so I have to relabel all files from httpd_sys_content_t to httpd_sys_script_ro_t in Redhat? doesn't make much sense to me
Sincerely yours, Vadym Chepkov
--- On Sat, 2/7/09, Dominick Grift domg472@gmail.com wrote:
From: Dominick Grift domg472@gmail.com Subject: Re: awstats AVC denial To: "Vadym Chepkov" chepkov@yahoo.com Cc: "Fedora SELinux" fedora-selinux-list@redhat.com Date: Saturday, February 7, 2009, 11:07 AM On Sat, 2009-02-07 at 08:03 -0800, Vadym Chepkov wrote:
Why?
That confirms that there is not any "tunable" policy available and that this is a bug in policy.
Sincerely yours, Vadym Chepkov
LOL, In RedHat I can't read those files at all, but in Fedora it's granted twice:
# sesearch --allow -s httpd_sys_script_t -c dir |grep httpd_sys_content_t allow httpd_sys_script_t httpd_sys_content_t : dir { ioctl read getattr lock search } ; allow httpd_sys_script_t httpd_sys_content_t : dir { ioctl read write getattr lock add_name remove_name search } ;
Sincerely yours, Vadym Chepkov
On Sat, 2009-02-07 at 08:33 -0800, Vadym Chepkov wrote:
LOL, In RedHat I can't read those files at all, but in Fedora it's granted twice:
I think it is a bug in policy. the "sys" domain should have access to "sys" files.
But if you can fix it using httpd_sys_script_ro_t then thats also fine i guess.
Sincerely yours, Vadym Chepkov
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Dominick Grift wrote:
On Sat, 2009-02-07 at 08:33 -0800, Vadym Chepkov wrote:
LOL, In RedHat I can't read those files at all, but in Fedora it's granted twice:
I think it is a bug in policy. the "sys" domain should have access to "sys" files.
But if you can fix it using httpd_sys_script_ro_t then thats also fine i guess.
Sincerely yours, Vadym Chepkov
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
httpd_sys_script_ro_t == httpd_sys_content_t in F10 and beyond.
Are you hitting this in RHEL5?
Yes,
RHEL5
Sincerely yours, Vadym Chepkov
--- On Tue, 2/10/09, Daniel J Walsh dwalsh@redhat.com wrote:
From: Daniel J Walsh dwalsh@redhat.com Subject: Re: awstats AVC denial To: "Dominick Grift" domg472@gmail.com Cc: "Vadym Chepkov" chepkov@yahoo.com, "Fedora SELinux" fedora-selinux-list@redhat.com Date: Tuesday, February 10, 2009, 9:38 AM -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Dominick Grift wrote:
On Sat, 2009-02-07 at 08:33 -0800, Vadym Chepkov
wrote:
LOL, In RedHat I can't read those files at all, but
in Fedora it's granted twice:
I think it is a bug in policy. the "sys"
domain should have access to
"sys" files.
But if you can fix it using httpd_sys_script_ro_t then
thats also fine i
guess.
Sincerely yours, Vadym Chepkov
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
httpd_sys_script_ro_t == httpd_sys_content_t in F10 and beyond.
Are you hitting this in RHEL5? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkmRkWcACgkQrlYvE4MpobPU8gCgm0B1Hz0rRsX/d9NLr29fkbUC bkwAoITQv993EBsNkHE84IWutCoLlT34 =Nnty -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Vadym Chepkov wrote:
Yes,
RHEL5
Sincerely yours, Vadym Chepkov
--- On Tue, 2/10/09, Daniel J Walsh dwalsh@redhat.com wrote:
From: Daniel J Walsh dwalsh@redhat.com Subject: Re: awstats AVC denial To: "Dominick Grift" domg472@gmail.com Cc: "Vadym Chepkov" chepkov@yahoo.com, "Fedora SELinux" fedora-selinux-list@redhat.com Date: Tuesday, February 10, 2009, 9:38 AM
Dominick Grift wrote:
On Sat, 2009-02-07 at 08:33 -0800, Vadym Chepkov
wrote:
LOL, In RedHat I can't read those files at all, but
in Fedora it's granted twice:
I think it is a bug in policy. the "sys"
domain should have access to
"sys" files.
But if you can fix it using httpd_sys_script_ro_t then
thats also fine i
guess.
Sincerely yours, Vadym Chepkov
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
httpd_sys_script_ro_t == httpd_sys_content_t in F10 and beyond.
Are you hitting this in RHEL5?
Ok, I will add this to U4 policy.
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
selinux@lists.fedoraproject.org
-
Daniel J Walsh -
Dominick Grift -
Vadym Chepkov