James Z. Li wrote:
targeted policy on FC3
/var/log/messages show lots of avcs:
May 22 20:54:42 bengal kernel: audit(1116809682.160:0): avc: denied
{ getattr } for pid=2733 exe=/bin/ps path=/proc/1 dev=proc ino=65538
scontext=user_u:system_r:httpd_sys_script_t
tcontext=user_u:system_r:unconfined_t tclass=dir
...
May 22 20:54:42 bengal kernel: audit(1116809682.171:0): avc: denied
{ getattr } for pid=2733 exe=/bin/ps path=/proc/2660 dev=proc
ino=174325762 scontext=user_u:system_r:httpd_sys_script_t
tcontext=root:system_r:unconfined_t tclass=dir
'audit2allow' generates this rule in local.te
allow httpd_sys_script_t unconfined_t:dir { getattr };
I guess the question is, what is this script attemting to do? If you
dontaudit this access, does it work?
I would advise creating a new script type using
apache_domain(mycgi)
allow httpd_mycgi_script_t unconfined_t:dir ...
Then change to contraint.te to allow httpd_mycgi_script_t.
'make load' shows the assertion error message
Assertion on line 17328 violated by allow httpd_sys_script_t
unconfined_t:dir { getattr };
make: *** [/etc/selinux/targeted/policy/policy.18] Error 1
Then I learned that /proc, /selinux, and /sys do not have persistent
labels. What should
I do to solve this problem? Remove that assertion check?
Btw, anyone has a policy file for Gallery (gallery.sourceforge.net) with httpd?
Thanks a lot!
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
http://www.redhat.com/mailman/listinfo/fedora-selinux-list
--
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
http://www.redhat.com/mailman/listinfo/fedora-selinux-list
