Re: How to set selinux policy "allow httpd_t unconfined_t:shm { unix_read unix_write }; " using an seboolean? (How to get a new seboolean?)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 06/02/2011 07:47 PM, Aleksey Tsalolikhin wrote:
> Hi.  I'm trying to get OTRS running on CentOS 5.5 with SELinux enabled,
> and audit.log / audit2allow tell me I need to add the local policy:
> 
> 
> #============= httpd_t ==============
> allow httpd_t unconfined_t:shm { unix_read unix_write };
> 
> which I think will allow the httpd access to read and write from shared memory?
> Is that right?  What are the risks involved in opening this?  I notice it is
> denied by the default policy.
> 
> To simplify configuration management, I would prefer to make this setting
> using /usr/sbin/setseebool, but I don't see an sebool that deals with shm...
> 
> How do I request one?  (And whom do I ask?)
> 
> Thanks,
> -at
> _______________________________________________
> CentOS mailing list
> CentOS@xxxxxxxxxx
> http://lists.centos.org/mailman/listinfo/centos

Not sure what OTRS is but it looks like you are running it as a user?
(unconfined_t), Does this usually run as a service started at boot time?


Allowing this would just mean apache is able to read/write logged in
users shared memory.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk3pKtYACgkQrlYvE4MpobOOIwCgs9KG+PxXUg3UealcfO+C4kYZ
wMMAn2oLpKPBQUjQpvTam3J5M0jL+g2P
=+sPH
-----END PGP SIGNATURE-----
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos


[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux