Re: F18, selinux & sensors

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/12/2013 09:41 AM, Cristian Sava wrote:
> Hi all,
> 
> I want to monitor hardware temperatures using sensors. sensors is working
> ok lunched in a terminal but i want to display the output on the web. So i
> have this simple php:
> 
> <?php echo exec('/var/www/cgi-bin/my_sensors.sh'); ?>
> 
> and my_sensors.sh in cgi-bin:
> 
> #!/usr/bin/bash /usr/bin/sensors exit
> 
> Why the problem showed in /var/log/messages (and blank web page)? sensors
> is supposed to run ok, is it? my_sensors lunch sensors = OK sensors try
> i2c-adapter = deny Do i miss something?
> 
> setroubleshoot: SELinux is preventing /usr/bin/sensors from read access on
> the directory i2c-adapter. For complete SELinux messages. run sealert -l
> 94ef69e6-5109-4c22-b464-ef220948dd6a
> 
> [root@s194 cgi-bin]# sealert -l 94ef69e6-5109-4c22-b464-ef220948dd6a 
> SELinux is preventing /usr/bin/sensors from read access on the directory 
> i2c-adapter.
> 
> *****  Plugin catchall (100. confidence) suggests 
> ***************************
> 
> If you believe that sensors should be allowed read access on the 
> i2c-adapter directory by default. Then you should report this as a bug. You
> can generate a local policy module to allow this access. Do allow this
> access for now by executing: # grep sensors /var/log/audit/audit.log |
> audit2allow -M mypol # semodule -i mypol.pp
> 
> 
> Additional Information: Source Context
> system_u:system_r:httpd_sys_script_t:s0 Target Context
> system_u:object_r:sysfs_t:s0 Target Objects                i2c-adapter [
> dir ] Source                        sensors Source Path
> /usr/bin/sensors Port                          <Unknown> Host
> s194.central.ucv.ro Source RPM Packages
> lm_sensors-3.3.2-5.fc18.x86_64 Target RPM Packages Policy RPM
> selinux-policy-3.11.1-87.fc18.noarch Selinux Enabled               True 
> Policy Type                   targeted Enforcing Mode
> Enforcing Host Name                     s194.central.ucv.ro Platform
> Linux s194.central.ucv.ro 3.8.6-203.fc18.x86_64 #1 SMP Tue Apr 9 19:33:01
> UTC 2013 x86_64 x86_64 Alert Count                   2 First Seen
> 2013-04-12 15:59:12 EEST Last Seen                     2013-04-12 15:59:13
> EEST Local ID                      94ef69e6-5109-4c22-b464-ef220948dd6a
> 
> Raw Audit Messages type=AVC msg=audit(1365771553.642:434): avc:  denied  {
> read } for pid=5314 comm="sensors" name="i2c-adapter" dev="sysfs"
> ino=15234 scontext=system_u:system_r:httpd_sys_script_t:s0 
> tcontext=system_u:object_r:sysfs_t:s0 tclass=dir
> 
> 
> type=SYSCALL msg=audit(1365771553.642:434): arch=x86_64 syscall=openat 
> success=no exit=EACCES a0=ffffffffffffff9c a1=7fff2e427650 a2=90800 a3=0 
> items=0 ppid=5313 pid=5314 auid=4294967295 uid=48 gid=48 euid=48 suid=48 
> fsuid=48 egid=48 sgid=48 fsgid=48 ses=4294967295 tty=(none) comm=sensors 
> exe=/usr/bin/sensors subj=system_u:system_r:httpd_sys_script_t:s0 
> key=(null)
> 
> Hash: sensors,httpd_sys_script_t,sysfs_t,dir,read
> 
> audit2allow
> 
> #============= httpd_sys_script_t ============== allow httpd_sys_script_t
> sysfs_t:dir read;
> 
> audit2allow -R require { type httpd_sys_script_t; }
> 
> #============= httpd_sys_script_t ============== 
> dev_list_sysfs(httpd_sys_script_t)
> 
> 
> [root@s194 cgi-bin]#
> 
> C. Sava
> 
> 
Well I guess you have two choices, either allow this access to apache cgi
scripts, using audit2allow -M mysensors

Or you could generate new policy for your script to run under its own context.

You might want to first make the httpd_sys_script_t permissive to see all of
the AVC's that are generated

semanage permissive -a httpd_sys_script_t

Your test should probably succeed now, and use

audit2allow -m avc -ts recent

To see all the avcs

audit2allow -m avc -ts recent | audit2allow -m mysensors

Would generate a policy module to allow this access.

Or you could write policy for your cgi script using

sepolicy generate --cgi PATHTOCGI

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlFoLHEACgkQrlYvE4MpobMFggCg2a7K3I6e/ha8TJ/pMRfSTKQI
Gf0AmgOed44HZBk13KHWk3Up4Z0DsXU4
=TcKy
-----END PGP SIGNATURE-----
-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux