> Hongwei Li wrote: > >>>Hongwei Li wrote: >>> >>> >>> >>>>Hi, >>>> >>>>I have a fc3 linux (kernel 2.6.10-1.770_FC3) with selinux enforced, >>>>targeted policy 1.17.30-2.96. I try to use squirrelmail's plugin >>>>change_passwd, but got denied. The system log shows: >>>> >>>>Apr 14 09:42:59 pippo kernel: audit(1113489779.011:0): avc: denied { >>>>search } for pid=13211 exe=/bin/bash name=src dev=hda6 ino=425174 >>>>scontext=root:system_r:httpd_sys_script_t >>>>tcontext=system_u:object_r:src_t >>>>tclass=dir >>>>Apr 14 09:42:59 pippo kernel: audit(1113489779.012:0): avc: denied { >>>>setuid } for pid=13211 exe=/usr/bin/chpasswd capability=7 >>>>scontext=root:system_r:httpd_sys_script_t >>>>tcontext=root:system_r:httpd_sys_script_t tclass=capability >>>> >>>>I can use that plugin's command in ssh console, but just not from the >>>>web. >>>>Should I change the targeted policy to make it working? If yes, how to >>>>modify the policy? >>>> >>>>Thanks a lot! >>>> >>>>Hongwei Li >>>> ... >> >> > A better solution would be to create a new policy file > /etc/selinux/targeted/src/policy/domains/program/chpasswd.te > and a new policy file context file > /etc/selinux/targeted/src/policy/file_context/program/chpasswd.fc > > You might want to look at the passwd.te file from strict policy as an > example. After playing around, I created chpasswd.te and chpasswd.fc, and it is working now. In chpasswd.te, I have: allow httpd_sys_script_t self:capability setuid; allow httpd_sys_script_t shadow_t:file read; ... > > Another option might be to just relabel this policy as > httpd_unconfined_script_t since allowing > sys_script to run chpasswd is pretty dangerous. And can circumvent most > SELinux controls. > Now, my question is: since I use httpd_sys_script_t, is it still dangerous even I created my own domain? how to relable this policy as httpd_unconfined_script_t? I tried to use httpd_unconfined_script_t in chpasswd.te, but got error when I run make load: ERROR 'unknown type httpd_unconfined_script_t' I geately appreciate your help! Hongwei -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx http://www.redhat.com/mailman/listinfo/fedora-selinux-list