mod_selinux denial with httpd
William Brown
william at blackhats.net.au
Thu Aug 6 07:55:55 UTC 2015
On Tue, 2015-08-04 at 08:44 +0930, William Brown wrote:
> > >
> > What OS do you use? On Fedora, mod_selinux comes with own SELinux policy
> > where it is allowed.
>
> I'm doing this on RHEL7, as I would like to get mod_selinux into EPEL.
I think this is the issue:
semodule -i BUILD/mod_selinux-2.4.4/mod_selinux.targeted.pp
libsepol.print_missing_requirements: mod_selinux's global requirements were not
met: type/attribute httpd_user_script_ro_t (No such file or directory).
libsemanage.semanage_link_sandbox: Link packages failed (No such file or
directory).
semodule: Failed!
So maybe there are some types in the mod_selinux policy module that don't exist
yet in RHEL7, so as a result, the post install semodule -i is failing.
Not really sure what the best course of action is. The upstream appears to be
dead so I can't report it there.
Would it be better to make a mod_selinux.centos.te and a mod_selinux.fedora.te
that accommodates these differences? Or to put httpd_user_script_ro_t into
RHEL7?
--
William Brown <william at blackhats.net.au>
More information about the selinux
mailing list