Selinux error help - continued

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Wed, 2007-02-07 at 16:34 +0000, Dan Track wrote:

Hi Stephen

Firstly apologies for sending to the wrong list.


Ok, then take follow-ups to fedora-selinux-list please.


Thanks for the advice it was really an eye opener. I trawlled through
the assert.te file in my selinux src directory, however I can tell
which rule to remove, could you please guide to which rule it is.
Currently my file looks like this:

neverallow { domain -unrestricted -snmpd_t -pegasus_t }
unconfined_t:process ~sigchld;


The rule above.  Rather than removing it entirely, you could adjust it
to make a specific exception for this case.  What do you truly need your
process to be able to do?


# Confined domains must never see unconfined domain's /proc/pid entries.
neverallow { domain -unrestricted -snmpd_t -pegasus_t }
unconfined_t:dir { getattr search };


This one will also get in your process' way if it truly needs to operate
on unconfined processes.

Naturally, if you go too far in this direction, you are effectively
removing any real restriction on httpd and might as well just disable
its protection altogether (via the corresponding boolean).

Hi Stephen.

I've moved the conversation over to the selinux list. My program is
actually Beltane which is a web front end for managing samhain ( a
filesystem integrity checker). The point at which the problem arises
is when a setuid binary (belatne_cp) wants to write to a file it
creates in the /tmp directory and then it wants to move that file to
the /var/lib/yule/profiles directory. Its at this point I get the
selinux error:

Feb  7 14:26:10 jupiter kernel: audit(1170858370.177:2547): avc:
denied  { getsession } for  pid=555 comm="httpd"
scontext=root:system_r:httpd_t tcontext=root:system_r:unconfined_t
tclass=process
Feb  7 14:26:27 jupiter kernel: audit(1170858387.985:2548): avc:
denied  { getattr } for  pid=14295 comm="beltane_cp"
name="TMPFILIyEqoa" dev=sda3 ino=147699
scontext=root:system_r:httpd_sys_script_t
tcontext=root:object_r:httpd_var_lib_t tclass=file

This beltane_cp file is called by apache.

Hope this helps in making clear what I'm trying to do.

Thanks again
Dan

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux