Adding two new booleans to httpd to tighten it's security.

Nicolas Mailhot nicolas.mailhot at laposte.net
Sat Dec 10 19:08:20 UTC 2005 

On Sam 10 décembre 2005 18:54, Daniel J Walsh wrote:
> Nicolas Mailhot wrote:

>> I'd really appreciate if more effort was expanded in fixing existing
>> AVCs rather than adding new blocking rules.
>>
> Which avc's are you talking about.  We have been working hard to fix all
> avc's when we can.

How about having selinux play nice with spamassassin at last ?

It's still not able to create resolver sockets
"Error creating a DNS resolver socket"

or writing in its own files

cannot create tmp lockfile ~/.spamassassin/bayes.lock.xxx
cannot write to ~/.spamassassin/user_pref

(this has been reported many many times)

Or else fix fstab-sync

avc:  denied  { getattr } for  pid=2572 comm="fstab-sync" name="/"
dev=tmpfs ino=5287 scontext=system_u:system_r:updfstab_t:s0
tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir

(again, reported many times)

Or else not break basic stuff like thunderbird

avc:  denied  { execmem } for  pid=2950 comm="thunderbird-bin"
scontext=user_u:system_r:unconfined_t:s0-s0:c0.c255
tcontext=user_u:system_r:unconfined_t:s0-s0:c0.c255 tclass=process

or gpm

avc:  denied  { write } for  pid=2420 comm="gpm" name="mice" dev=tmpfs
ino=4118 scontext=system_u:system_r:gpm_t:s0
tcontext=system_u:object_r:mouse_device_t:s0 tclass=chr_file

these two are new, but since I spare you the stuff which has been fixed
lately I figured it was only fair to add new breakage

# audit2allow </var/log/audit/audit.log
allow dovecot_auth_t dovecot_var_run_t:dir search;
allow dovecot_auth_t tmp_t:dir getattr;
allow dovecot_auth_t usr_t:lnk_file read;
allow gpm_t mouse_device_t:chr_file write;
allow sysadm_su_t etc_runtime_t:file read;
allow sysadm_su_t tmp_t:dir getattr;
allow sysadm_su_t usr_t:lnk_file read;
allow unconfined_t self:process execmem;
allow updfstab_t tmpfs_t:dir getattr;

This with selinux-policy-targeted-2.1.2-1

I'd like to write there is some progress, but the length of my AVC list
seems to be stable over time, new stuff breaks as often as old stuff gets
fixed, and the overall length is not shrinking.

Regards,

-- 
Nicolas Mailhot

More information about the selinux mailing list