On Tue, 2005-01-02 at 10:22 -0500, Kanwar Ranbir Sandhu wrote:
> avc: denied { search } for pid=2851 exe=/usr/bin/perl name=postfix
> dev=dm-5 ino=34833 scontext=user_u:system_r:httpd_sys_script_t
> tcontext=system_u:object_r:var_spool_t tclass=dir
>
> avc: denied { search } for pid=2851 exe=/usr/bin/perl name=postfix
> dev=dm-5 ino=34833 scontext=user_u:system_r:httpd_sys_script_t
> tcontext=system_u:object_r:var_spool_t tclass=dir
>
> avc: denied { setrlimit } for pid=2856 exe=/usr/sbin/sendmail.postfix
> scontext=user_u:system_r:httpd_t tcontext=user_u:system_r:httpd_t
> tclass=process
I've learned a little more about selinux, and so ran audit2allow on the
denials above to generate the following two policies:
allow httpd_sys_script_t var_spool_t:dir search;
allow httpd_t self:process setrlimit;
I know I can use dontaudit to turn off auditing for these policies
(instead of allowing), but I don't know if that's a good idea, or even
the right approach.
Thanks,
Ranbir
--
Kanwar Ranbir Sandhu
Linux Consultant
Systems Aligned Inc.
www.systemsaligned.com
