Hongwei Li wrote:
The only way to do this currently is to install selinux-policy-targeted-sources.Hi,
I have a fc3 linux (kernel 2.6.10-1.770_FC3) with selinux enforced, targeted policy 1.17.30-2.96. I try to use squirrelmail's plugin change_passwd, but got denied. The system log shows:
Apr 14 09:42:59 pippo kernel: audit(1113489779.011:0): avc: denied { search } for pid=13211 exe=/bin/bash name=src dev=hda6 ino=425174 scontext=root:system_r:httpd_sys_script_t tcontext=system_u:object_r:src_t tclass=dir Apr 14 09:42:59 pippo kernel: audit(1113489779.012:0): avc: denied { setuid } for pid=13211 exe=/usr/bin/chpasswd capability=7 scontext=root:system_r:httpd_sys_script_t tcontext=root:system_r:httpd_sys_script_t tclass=capability
I can use that plugin's command in ssh console, but just not from the web. Should I change the targeted policy to make it working? If yes, how to modify the policy?
Thanks a lot!
Hongwei Li
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
http://www.redhat.com/mailman/listinfo/fedora-selinux-list
Then you can edit apache rules to allow this priv. The problem with this is priv is that
it will allow Any cgi script to execute setuid applications. The best solution would be
to write policy for change_passwd and then have a domain transfer to this application.
--
-- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx http://www.redhat.com/mailman/listinfo/fedora-selinux-list
