How to modify the policy?

Hongwei Li hongwei at wustl.edu
Thu Apr 21 21:13:55 UTC 2005 

> Hongwei Li wrote:
>
>>>Hongwei Li wrote:
>>>
>>>
>>>
>>>>Hi,
>>>>
>>>>I have a fc3 linux (kernel 2.6.10-1.770_FC3) with selinux enforced,
>>>>targeted policy 1.17.30-2.96.  I try to use squirrelmail's plugin
>>>>change_passwd, but got denied.  The system log shows:
>>>>
>>>>Apr 14 09:42:59 pippo kernel: audit(1113489779.011:0): avc:  denied  {
>>>>search } for  pid=13211 exe=/bin/bash name=src dev=hda6 ino=425174
>>>>scontext=root:system_r:httpd_sys_script_t
>>>>tcontext=system_u:object_r:src_t
>>>>tclass=dir
>>>>Apr 14 09:42:59 pippo kernel: audit(1113489779.012:0): avc:  denied  {
>>>>setuid } for  pid=13211 exe=/usr/bin/chpasswd capability=7
>>>>scontext=root:system_r:httpd_sys_script_t
>>>>tcontext=root:system_r:httpd_sys_script_t tclass=capability
>>>>
>>>>I can use that plugin's command in ssh console, but just not from the
>>>>web.
>>>>Should I change the targeted policy to make it working?  If yes, how to
>>>>modify the policy?
>>>>
>>>>Thanks a lot!
>>>>
>>>>Hongwei Li
>>>>
...
>>
>>
> A better solution would be to create a new policy file
> /etc/selinux/targeted/src/policy/domains/program/chpasswd.te
> and  a new policy file context file
> /etc/selinux/targeted/src/policy/file_context/program/chpasswd.fc
>
> You might want to look at the passwd.te file from strict policy as an
> example.

After playing around, I created chpasswd.te and chpasswd.fc, and it is
working now.  In chpasswd.te, I have:

allow httpd_sys_script_t self:capability setuid;
allow httpd_sys_script_t shadow_t:file read;
...

>
> Another option might be to just relabel this policy as
> httpd_unconfined_script_t since allowing
> sys_script to run chpasswd is pretty dangerous. And can circumvent most
> SELinux controls.
>

Now, my question is: since I use httpd_sys_script_t, is it still dangerous
even I created my own domain?  how to relable this policy as
httpd_unconfined_script_t?  I tried to use httpd_unconfined_script_t in
chpasswd.te, but got error when I run make load:
ERROR 'unknown type httpd_unconfined_script_t'

I geately appreciate your help!

Hongwei

More information about the selinux mailing list