A few permission problems

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi.

I've got a system updated from old redhat releases to FC2-3 and now 4.
I've just downloaded selinux-policy-targeted and have been able to fix most of 
my problems with setsebool etc. while in permissive mode. However a few more
difficult issues still intrigues me and I'd love it if someone would offer some help. 

First:
[root@spock ~]# audit2allow -i /var/log/messages -l
allow dovecot_auth_t selinux_config_t:file { getattr read };
allow httpd_sys_script_t var_t:dir getattr;
allow named_t unconfined_t:fifo_file read;
allow smbd_t selinux_config_t:dir search;
allow smbd_t selinux_config_t:file { getattr read };
allow webalizer_t home_root_t:dir search;
allow webalizer_t user_home_dir_t:dir search;
The dovecot-auth problem seems to occur with every new connection to dovecot:
Jul 16 14:00:16 spock kernel: audit(1121515216.305:122): avc: denied { read } for pid=21686 comm="dovecot-auth" name="config" dev=hda3 ino=394549 scontext=root:system_r:dovecot_auth_t tcontext=system_u:object_r:selinux_config_t tclass=file Jul 16 14:00:16 spock kernel: audit(1121515216.305:123): avc: denied { getattr } for pid=21686 comm="dovecot-auth" name="config" dev=hda3 ino=394549 scontext=root:system_r:dovecot_auth_t tcontext=system_u:object_r:selinux_config_t tclass=file
The httpd problem appears to be python related. Not sure which of my web applications is triggering it (if any). Maybe MoinMoin Wiki but I can't seem to trigger it myself, maybe a search spider is triggering it.
Jul 16 02:00:54 spock kernel: audit(1121472054.557:119): avc: denied { getattr } for pid=20378 comm="python" name="var" dev=hda3 ino=163841 scontext=root:system_r:httpd_sys_script_t tcontext=system_u:object_r:var_t tclass=dir 


named is denied some fun?

Jul 14 15:39:10 spock named[1771]: exiting
Jul 14 15:39:12 spock kernel: audit(1121348352.535:98): avc: denied { read } for pid=16108 comm="named-checkconf" name ="[196624]" dev=pipefs ino=196624 scontext=root:system_r:named_t tcontext=root:system_r:unconfined_t tclass=fifo_file 
Jul 14 15:39:12 spock named[16110]: starting BIND 9.3.1 -u named
Samba appears to wan't to read in the selinux config file? Every access to a home directory triggers this despite the correct sebool is set.
Jul 15 02:43:18 spock kernel: audit(1121388198.077:104): avc: denied { search } for pid=17122 comm="smbd" name="selinu x" dev=hda3 ino=394114 scontext=system_u:system_r:smbd_t tcontext=system_u:object_r:selinux_config_t tclass=dir Jul 15 02:43:18 spock kernel: audit(1121388198.077:105): avc: denied { read } for pid=17122 comm="smbd" name="config" dev=hda3 ino=394549 scontext=system_u:system_r:smbd_t tcontext=system_u:object_r:selinux_config_t tclass=file Jul 15 02:43:18 spock kernel: audit(1121388198.078:106): avc: denied { getattr } for pid=17122 comm="smbd" name="config" dev=hda3 ino=394549 scontext=system_u:system_r:smbd_t tcontext=system_u:object_r:selinux_config_t tclass=file
webalizer is being asked to put it's resulting webpages into a local users web directory in support of per user usage stat. The users webfolder has the correct objects set for httpd security.
Jul 11 04:02:17 spock kernel: audit(1121047337.762:57): avc: denied { search } for pid=3409 comm="webalizer" name="home" dev=hda3 ino=819203 scontext=system_u:system_r:webalizer_t tcontext=system_u:object_r:home_root_t tclass=dir Jul 11 04:02:17 spock kernel: audit(1121047337.762:58): avc: denied { search } for pid=3409 comm="webalizer" name="joakim" dev=hda3 ino=458781 scontext=system_u:system_r:webalizer_t tcontext=user_u:object_r:user_home_dir_t tclass=dir
In addition to this I have a shared folder with 'public' material, files that I offer to for download/upload. This folder is shared to my users with ftp as well as samba. Is this even possible to do with selinux?
Jul 16 15:24:31 spock kernel: audit(1121520271.993:127): avc: denied { search } for pid=21818 comm="smbd" name="/" dev=hdc1 ino=2 scontext=system_u:system_r:smbd_t tcontext=system_u:object_r:ftpd_anon_t tclass=dir Jul 16 15:24:32 spock kernel: audit(1121520272.060:128): avc: denied { getattr } for pid=21818 comm="smbd" name="pub" dev=hdc1 ino=32769 scontext=system_u:system_r:smbd_t tcontext=system_u:object_r:ftpd_anon_t tclass=dir Jul 16 15:24:32 spock kernel: audit(1121520272.156:129): avc: denied { read } for pid=21818 comm="smbd" name="pub" dev=hdc1 ino=32769 scontext=system_u:system_r:smbd_t tcontext=system_u:object_r:ftpd_anon_t tclass=dir 

audit2allow suggests:
allow smbd_t ftpd_anon_t:dir { getattr read search };

Greatful for any tips, hoping to enforce soon!
/Nicke

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
http://www.redhat.com/mailman/listinfo/fedora-selinux-list
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux