dansguardian and selinux
Vikram Goyal
vikigoyal at gmail.com
Sun Mar 9 11:00:44 UTC 2008
Hi,
I am running dansguardian ( content filter ) and squid. Versions:
dansguardian-2.8.0.6-1.2.fc8.rf
squid-2.6.STABLE17-1.fc8
selinux-policy-targeted-3.0.8-87.fc8
Well, I want to run dansguardian under selinux enforcing mode but due
some avcs I have to go to permissive mode or allow the blocked accesses,
neither of which I want.
Bug reporting is also not an option since it is not in the fedora repos.
The avcs are:
type=AVC msg=audit(1205054238.538:28): avc: denied { write } for pid=5640 comm="dansguardian" name="run" dev=dm-1 ino=5186 57 scontext=system_u:system_r:logrotate_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir
type=AVC msg=audit(1205054238.538:29): avc: denied { write } for pid=5640 comm="dansguardian" name="dansguardian.pid" dev=dm-1 ino=518711 scontext=system_u:system_r:logrotate_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file
type=AVC msg=audit(1205054238.870:30): avc: denied { read write } for pid=5652 comm="squid" path="/var/log/dansguardian/access.log-20080309" dev=dm-1 ino=1102242 scontext=system_u:system_r:squid_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file
type=AVC msg=audit(1205054238.870:30): avc: denied { read write } for pid=5652 comm="squid" path="/var/log/dbmail.log-20080309" dev=dm-1 ino=1102187 scontext=system_u:system_r:squid_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file
type=AVC msg=audit(1205054238.870:30): avc: denied { read write } for pid=5652 comm="squid" path="/var/log/dovecot.log-20080309" dev=dm-1 ino=1102273 scontext=system_u:system_r:squid_t:s0 tcontext=system_u:object_r:dovecot_var_log_t:s0 tclass=file
type=AVC msg=audit(1205054238.870:30): avc: denied { read write } for pid=5652 comm="squid" path="/var/log/rpmpkgs-20080309" dev=dm-1 ino=1102254 scontext=system_u:system_r:squid_t:s0 tcontext=system_u:object_r:cron_log_t:s0 tclass=file
type=AVC msg=audit(1205054238.870:30): avc: denied { read write } for pid=5652 comm="squid" path="/var/log/messages-20080309" dev=dm-1 ino=1102211 scontext=system_u:system_r:squid_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file
type=AVC msg=audit(1205054238.870:30): avc: denied { read write } for pid=5652 comm="squid" path="/var/log/secure-20080309" dev=dm-1 ino=1102245 scontext=system_u:system_r:squid_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file
type=AVC msg=audit(1205054238.870:30): avc: denied { read write } for pid=5652 comm="squid" path="/var/log/maillog-20080309" dev=dm-1 ino=1102246 scontext=system_u:system_r:squid_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file
type=AVC msg=audit(1205054238.870:30): avc: denied { read write } for pid=5652 comm="squid" path="/var/log/spooler-20080309" dev=dm-1 ino=1102272 scontext=system_u:system_r:squid_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file
type=AVC msg=audit(1205054238.870:30): avc: denied { read write } for pid=5652 comm="squid" path="/var/log/boot.log-20080309" dev=dm-1 ino=1102291 scontext=system_u:system_r:squid_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file
type=AVC msg=audit(1205054238.870:30): avc: denied { read write } for pid=5652 comm="squid" path="/var/log/cron-20080309" dev=dm-1 ino=1102292 scontext=system_u:system_r:squid_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file
type=AVC msg=audit(1205054238.870:30): avc: denied { read write } for pid=5652 comm="squid" path="/var/log/setroubleshoot/setroubleshootd.log-20080309" dev=dm-1 ino=1102249 scontext=system_u:system_r:squid_t:s0 tcontext=system_u:object_r:setroubleshoot_var_log_t:s0 tclass=file
As you may see, except for the first three, the rest of the avcs show it
running wild and messing with a number of unrelated logs, which I don't
want to allow.
I am confused as to how it should be handeled.
Thanks!
--
vikram...
||||||||
||||||||
^^'''''^^||root||^^^'''''''^^
// \\ ))
//(( \\// \\
// /\\ || \\
|| / )) (( \\
--
We must believe in free will. We have no choice. -Isaac B. Singer
--
~|~
=
More information about the users
mailing list