How to modify the policy?

Daniel J Walsh dwalsh at redhat.com
Fri Apr 15 19:37:04 UTC 2005


Hongwei Li wrote:

>>Hongwei Li wrote:
>>
>>    
>>
>>>Hi,
>>>
>>>I have a fc3 linux (kernel 2.6.10-1.770_FC3) with selinux enforced,
>>>targeted policy 1.17.30-2.96.  I try to use squirrelmail's plugin
>>>change_passwd, but got denied.  The system log shows:
>>>
>>>Apr 14 09:42:59 pippo kernel: audit(1113489779.011:0): avc:  denied  {
>>>search } for  pid=13211 exe=/bin/bash name=src dev=hda6 ino=425174
>>>scontext=root:system_r:httpd_sys_script_t
>>>tcontext=system_u:object_r:src_t
>>>tclass=dir
>>>Apr 14 09:42:59 pippo kernel: audit(1113489779.012:0): avc:  denied  {
>>>setuid } for  pid=13211 exe=/usr/bin/chpasswd capability=7
>>>scontext=root:system_r:httpd_sys_script_t
>>>tcontext=root:system_r:httpd_sys_script_t tclass=capability
>>>
>>>I can use that plugin's command in ssh console, but just not from the
>>>web.
>>>Should I change the targeted policy to make it working?  If yes, how to
>>>modify the policy?
>>>
>>>Thanks a lot!
>>>
>>>Hongwei Li
>>>
>>>--
>>>fedora-selinux-list mailing list
>>>fedora-selinux-list at redhat.com
>>>http://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>>
>>>
>>>      
>>>
>>The only way to do this currently is to install
>>selinux-policy-targeted-sources.
>>
>>Then you can edit apache rules to allow this priv.  The problem with
>>this is priv is that
>>it will allow Any cgi script to execute setuid applications.   The best
>>solution would be
>>to write policy for change_passwd and then have a domain transfer to
>>this application.
>>
>>--
>>
>>    
>>
>
>I am new to selinux, especially for policy editing/writing.  Could you
>please tell me how to do it in each way (I have installed the sources):
>
>1. how to edit apache rules to allow this priv?
>  
>
Simple fix is to edit 
/etc/selinux/targeted/src/policy/domains/program/apache.te
Add
allow httpd_sys_script_t self:capability setuid;
allow httpd_sys_script_t src_t:dir search;

>2. how to write a policy for change_passwd and then have a domain transfer
>to it?
>  
>
A better solution would be to create a new policy file
/etc/selinux/targeted/src/policy/domains/program/chpasswd.te
and  a new policy file context file
/etc/selinux/targeted/src/policy/file_context/program/chpasswd.fc

You might want to look at the passwd.te file from strict policy as an 
example.

Another option might be to just relabel this policy as 
httpd_unconfined_script_t since allowing
sys_script to run chpasswd is pretty dangerous. And can circumvent most 
SELinux controls.


>I appreciate your help!
>
>Hongwei
>
>--
>fedora-selinux-list mailing list
>fedora-selinux-list at redhat.com
>http://www.redhat.com/mailman/listinfo/fedora-selinux-list
>  
>


-- 





More information about the selinux mailing list