Permission denied to cgi-script when enforcing selinux on RHEL6
Daniel J Walsh
dwalsh at redhat.com
Tue Apr 10 15:34:39 UTC 2012
On 04/10/2012 11:00 AM, Dominick Grift wrote:
> On Tue, 2012-04-10 at 09:55 -0500, Jason L Tibbitts III wrote:
>>>>>>> "DG" == Dominick Grift <dominick.grift at gmail.com> writes:
>>
>> DG> You should really see AVC denials when you build the policy.db with
>> DG> the dontaudit rules removed (semodule -DB) DG> Maybe you've
>> overlooked them?
>>
>> I know the original question was about EL6 but I had some issues with
>> CGI-type stuff outside of a specific cgi-bin directory recently on F16,
>> and I was quite surprised that completely relevant AVCs were hidden
>> behind dontaudit rules. In fact, I had no AVCs at all for that
>> situation; stuff just failed to work without any indication of why.
>> semodule -DB made it completely obvious, once you picked out the AVCs
>> that caused the problem from whatever random other stuff was expected to
>> happen.
>>
>> Is there any reasonable explanation for why these AVCs are not shown by
>> default?
>
> There should be but i cant think of any.
>
> I have encountered similar issues with daemons trying to traverse $USER
> being dontaudited; i dont like it either.
>
>> - J<
>
>
> -- selinux mailing list selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
The problem here was that users executing service BLAH restart were generating
lots of AVC's if they were sitting in their $HOME directory. Since the
default for apps was to look at the current working directory, so we would get
an AVC like
named_t tried to getattr on user_home_dir_t. The best way to stop this flood
was to say
dontaudit initdaemons user_home_dir_t:dir search_dir_perms;
Now that we have moved to systemd, this is not as big a problem and we can
remove the dontaudit rule.
More information about the selinux
mailing list