rhel selinux question
Daniel J Walsh
dwalsh at redhat.com
Fri Aug 24 12:57:37 UTC 2007
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Ken YANG wrote:
> Barry Allard wrote:
>> If someone would be so kind to answer a noob question. When installing an
>> apache authentication extension called WebAuth (3.5.4), it works great with
>> selinux disabled (setenforce 0), but turn on enforcement (setenforce 1),
>> bam, cant read/write the necessary files. To selinux, perhaps it looks like
>> rogue code trying to modify configuration files.
>>
>>
>>
>> Files:
>>
>> /etc/httpd/conf/webauth/keytab
>>
>> /etc/httpd/conf/webauth/keyring
>>
>> /etc/httpd/conf/webauth/service_token_cache
>>
>>
First off if these files need to be written to by a daemon, I would
suggest to the author, they be moved to /var, which is where variable
data should be, I think if you label the directory
httpd_sys_script_rw_t these avc's will dissapear
chcon -R -t httpd_sys_script_rw_t /etc/httpd/conf/webauth
Of course this will allow all system scripts to rw these files, DAC
permissions are still in effect.
Is this package in Fedora?
>>
>> Messages:
>>
>> audit(1187726388.800:5): avc: denied { write } for pid=2030 comm="httpd"
>> name="webauth" dev=dm-0 ino=66396 scontext=root:system_r:httpd_t:s0
>> tcontext=root:object_r:httpd_config_t:s0 tclass=dir
>>
>> audit(1187727527.410:38): avc: denied { read } for pid=2229 comm="httpd"
>> name="keytab" dev=dm-0 ino=196626 scontext=root:system_r:httpd_t:s0
>> tcontext=root:object_r:user_home_t:s0 tclass=file
>>
>> audit(1187727527.415:39): avc: denied { read } for pid=2229 comm="httpd"
>> name="keytab" dev=dm-0 ino=196626 scontext=root:system_r:httpd_t:s0
>> tcontext=root:object_r:user_home_t:s0 tclass=file
>>
>> audit(1187727527.420:40): avc: denied { write } for pid=2229 comm="httpd"
>> name="service_token_cache" dev=dm-0 ino=66426
>> scontext=root:system_r:httpd_t:s0 tcontext=root:object_r:httpd_config_t:s0
>> tclass=file
>>
>>
>>
>> audit2allow says
>>
>> "allow httpd_t httpd_config_t:dir write;
>>
>> allow httpd_t httpd_config_t:file write;
>>
>> allow httpd_t user_home_t:file read;"
>>
>> but this seems arbitrarily permissive.
>>
>>
>>
>> What would give only access read/write access these three files? Sorry if
>> this is off-topic.
>
> if you only want to permit to access these three files, you can define
> specific type about these files, e.g. webauth_config_t, and associate
> these types with corresponding files in ".fc" file.
>
> after installing your own module, you restorecon the label of your
> files, then this policy module will give access only to these files
>
>
>>
>>
>> Running RHEL 5 ("ES", 32-bit) patched. RTFM'ed already:
>> http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/selinux-guide/
>> not much help.
>>
>>
>>
>> Kind Regards,
>>
>> Barry Allard
>>
>> Systems Administrator
>>
>> Stanford Medical Informatics
>>
>> +1.650.723.7270
>>
>>
>>
>>
>>
>>
>> ------------------------------------------------------------------------
>>
>> --
>> fedora-selinux-list mailing list
>> fedora-selinux-list at redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iD8DBQFGztXBrlYvE4MpobMRAnswAJ9BrofqSTGJpWCK6mt+RoAp4zSeiQCePxtc
Xg/pabIY2cuIuasK6418IXY=
=hmGn
-----END PGP SIGNATURE-----
More information about the selinux
mailing list