Re: Selinux error help

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Wed, 2007-02-07 at 12:40 +0000, Dan Track wrote:
> Hi
> 
> I'm hoping someone can help me with this. I'm running a process that's
> getting the following violations:
> 
> Feb  7 11:54:34 jupiter kernel: audit(1170849274.441:2160): avc:
> denied  { getattr } for  pid=11754 comm="beltane_cp" name="yule"
> dev=sda3 ino=145930 scontext=root:system_r:httpd_sys_script_t
> tcontext=system_u:object_r:var_lib_t tclass=dir
> Feb  7 11:54:35 jupiter kernel: audit(1170849275.859:2161): avc:
> denied  { getsession } for  pid=27224 comm="httpd"
> scontext=root:system_r:httpd_t tcontext=root:system_r:unconfined_t
> tclass=process
> 
> What I did next was to run the following:
> 
> audit2allow -i /var/log/messages
> 
> and I get the following output
> 
> allow httpd_sys_script_t var_lib_t:dir getattr;
> allow httpd_t unconfined_t:process getsession;
> 
> Which I enter into
> 
> /etc/selinux/targeted/src/policy/domains/misc/local.te

Suggestion:  Take such questions to fedora-selinux-list in the future.

So this is a FC4 system?  In FC5 and later, you would instead be
creating a loadable policy module.

> Then from the policy directory I run
> 
> make load
> 
> Upon which I get the following error
> 
> /usr/bin/checkpolicy -o /etc/selinux/targeted/policy/policy.18 policy.conf
> /usr/bin/checkpolicy:  loading policy configuration from policy.conf
> security:  3 users, 4 roles, 355 types, 26 bools
> security:  55 classes, 22619 rules
> assertion on line 25169 violated by allow httpd_t unconfined_t:process
> { getsession };
> make: *** [/etc/selinux/targeted/policy/policy.18] Error 1
> 
> I don't know what this means, I've tried to look it up i.e google
> search, but to no avail. Any ideas?

The policy includes a set of assertions (neverallow rules) to catch
common errors and potentially unsafe rules.  In a FC4 or earlier policy,
they would live in the file policy/assert.te.  In this case, the
neverallow rule is guarding against accidentally allowing a confined
process like httpd from operating on an unconfined process, as that
could open you up to an attack, although this particular access
(getsession i.e. getsid(2)) is relatively benign unto itself - the more
interesting question is what will your process then try to do with the
session ID it gets for the unconfined process.

If you truly need to allow it, you can adjust or remove the neverallow
rule from policy/assert.te.
- 
-- 
Stephen Smalley
National Security Agency
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux