Re: Please review allow rules

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Charles A. Crayne wrote:
The following rule were created by audit2allow to enable my server to
operate denial messages. If some kind sole would glance over them to see
if they raise any red flags, I would appreciate it.

allow fetchmail_t user_home_t:file { getattr ioctl read };
allow httpd_sys_script_t user_home_t:dir { getattr read remove_name rmdir
search write }; allow httpd_sys_script_t user_home_t:file { append execute execute_no_trans getattr ioctl read unlink };
This looks like you have a labeling problem on a directory and perhaps you do not have the correct boolean set for httpd?
getsebool httpd_enable_homedirs
Should be set to 1 if you want apache to be able to read homedirs.
setsebool -P httpd_enable_homedirs=1

allow httpd_t snmpd_var_lib_t:file { getattr read }; allow httpd_t system_dbusd_var_run_t:dir { getattr read }; allow innd_t file_t:file { getattr ioctl read write };
This looks like a labeling problem. file_t should never be present on a system. I would recommend
relabeling

touch /.autorelabel; reboot

allow innd_t home_root_t:dir search;
allow innd_t tmp_t:dir search;
allow innd_t user_home_t:file { getattr read };
allow procmail_t inaddr_any_node_t:tcp_socket node_bind;
allow procmail_t innd_etc_t:dir search;
allow procmail_t innd_etc_t:file read;
allow procmail_t innd_exec_t:file { execute execute_no_trans read };
allow procmail_t innd_port_t:tcp_socket name_connect;
allow procmail_t ls_exec_t:file { execute execute_no_trans getattr read };
allow procmail_t procmail_exec_t:file execute_no_trans;
allow procmail_t pyzor_exec_t:file { execute execute_no_trans getattr
ioctl read }; allow procmail_t razor_port_t:tcp_socket name_connect;
allow procmail_t smtp_port_t:tcp_socket name_connect;
allow procmail_t tmp_t:dir { add_name create read remove_name rmdir search
write }; allow procmail_t tmp_t:file { create getattr ioctl read unlink write }; allow procmail_t user_home_t:file { execute execute_no_trans };
allow spamd_t pyzor_exec_t:file { execute execute_no_trans getattr ioctl
read }; allow spamd_t user_home_dir_t:dir read;
allow spamd_t user_home_dir_t:file { append getattr ioctl read };
Do you have the spamd_enable_home_dirs boolean set?
setsebool -P spamd_enable_home_dirs=1
allow xfs_t default_t:dir search;
allow xfs_t default_t:file { getattr read };

-- Chuck

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux