-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 06/03/2011 03:05 PM, Patrick Lists wrote:
>
> Hi Aleksey,
>
>
> On 06/03/2011 01:47 AM, Aleksey Tsalolikhin wrote:
>> Hi. I'm trying to get OTRS running on CentOS 5.5 with SELinux enabled,
>> and audit.log / audit2allow tell me I need to add the local policy:
>>
>>
>> #============= httpd_t ==============
>> allow httpd_t unconfined_t:shm { unix_read unix_write };
>>
>> which I think will allow the httpd access to read and write from shared memory?
>> Is that right? What are the risks involved in opening this? I notice it is
>> denied by the default policy.
>>
>> To simplify configuration management, I would prefer to make this setting
>> using /usr/sbin/setseebool, but I don't see an sebool that deals with shm...
>>
>> How do I request one? (And whom do I ask?)
>
> Since nobody has come up with a policy for eons I guess there is little
> incentive to provide one. When you go through the OTRS website it
> basically only says "turn off selinux" (which imho is pretty silly).
>
> There was one person that tried to create a policy:
> http://lists.otrs.org/pipermail/dev/2005-September/001109.html
>
> The #selinux channel on irc.freenode.net has always been helpful and
> patient even with my n00b questions. If you have all the info from the
> audit log then I would venture in there, put the audit log on a pastebin
> and ask how to proceed next.
>
> If you create a proper policy I would appreciate it if you could keep
> this list updated. From what I have read OTRS seems a nice solution but
> not when I have to turn off selinux.
>
> Regards,
> Patrick
> _______________________________________________
> CentOS mailing list
> CentOS@xxxxxxxxxx
> http://lists.centos.org/mailman/listinfo/centos
Well not likely since this is not something we use with RHEL or Fedora.
But what I would suggest you do is put apache into permissive mode and
then see what avcs it creates. Load a custom policy module to allow the
access.
# semanage permissive -a httpd_t
Run OTRS at boot, And attempt to interact with it via apache.
I would figure there are a lot of rules to allow things like
# allow httpd_t initrc_t:shm { unix_read unix_write };
Once you have a bunch of avcs you can create a custom policy module
# grep initrc_t /var/log/audit/audit.log | audit2allow -M myotrs
# semodule -i myotrs.pp
Or ask someone on list to write a policy for this app.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk3pO08ACgkQrlYvE4MpobPUGQCfWcVIkUcfBl9FvXKYJoZx8yKA
EkoAoNI2xKF02IZTYDwDLxtCqK8+0Rn0
=o/y6
-----END PGP SIGNATURE-----
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
