Re: rhel selinux question

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Ken YANG wrote:
> Barry Allard wrote:
>> If someone would be so kind to answer a noob question.  When installing an
>> apache authentication extension called WebAuth (3.5.4), it works great with
>> selinux disabled (setenforce 0), but turn on enforcement (setenforce 1),
>> bam, cant read/write the necessary files.  To selinux, perhaps it looks like
>> rogue code trying to modify configuration files.
>>
>>  
>>
>> Files:
>>
>> /etc/httpd/conf/webauth/keytab
>>
>> /etc/httpd/conf/webauth/keyring
>>
>> /etc/httpd/conf/webauth/service_token_cache
>>
>>
First off if these files need to be written to by a daemon, I would
suggest to the author, they be moved to /var, which is where variable
data should be,  I think if you label the directory
httpd_sys_script_rw_t these avc's will dissapear

chcon -R -t httpd_sys_script_rw_t /etc/httpd/conf/webauth
Of course this will allow all system scripts to rw these files, DAC
permissions are still in effect.

Is this package in Fedora?

>>
>> Messages:
>>
>> audit(1187726388.800:5): avc:  denied  { write } for  pid=2030 comm="httpd"
>> name="webauth" dev=dm-0 ino=66396 scontext=root:system_r:httpd_t:s0
>> tcontext=root:object_r:httpd_config_t:s0 tclass=dir
>>
>> audit(1187727527.410:38): avc:  denied  { read } for  pid=2229 comm="httpd"
>> name="keytab" dev=dm-0 ino=196626 scontext=root:system_r:httpd_t:s0
>> tcontext=root:object_r:user_home_t:s0 tclass=file
>>
>> audit(1187727527.415:39): avc:  denied  { read } for  pid=2229 comm="httpd"
>> name="keytab" dev=dm-0 ino=196626 scontext=root:system_r:httpd_t:s0
>> tcontext=root:object_r:user_home_t:s0 tclass=file
>>
>> audit(1187727527.420:40): avc:  denied  { write } for  pid=2229 comm="httpd"
>> name="service_token_cache" dev=dm-0 ino=66426
>> scontext=root:system_r:httpd_t:s0 tcontext=root:object_r:httpd_config_t:s0
>> tclass=file
>>
>>  
>>
>> audit2allow says
>>
>> "allow httpd_t httpd_config_t:dir write;
>>
>> allow httpd_t httpd_config_t:file write;
>>
>> allow httpd_t user_home_t:file read;"
>>
>> but this seems arbitrarily permissive.
>>
>>  
>>
>> What would give only access read/write access these three files?  Sorry if
>> this is off-topic.
> 
> if you only want to permit to access these three files, you can define
> specific type about these files, e.g. webauth_config_t, and associate
> these types with corresponding files in ".fc" file.
> 
> after installing your own module, you restorecon the label of your
> files, then this policy module will give access only to these files
> 
> 
>>  
>>
>> Running RHEL 5 ("ES", 32-bit) patched.  RTFM'ed already:
>> http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/selinux-guide/
>> not much help.
>>
>>                  
>>
>> Kind Regards,
>>
>> Barry Allard
>>
>> Systems Administrator
>>
>> Stanford Medical Informatics
>>
>> +1.650.723.7270
>>
>>  
>>
>>
>>
>>
>> ------------------------------------------------------------------------
>>
>> --
>> fedora-selinux-list mailing list
>> fedora-selinux-list@xxxxxxxxxx
>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFGztXBrlYvE4MpobMRAnswAJ9BrofqSTGJpWCK6mt+RoAp4zSeiQCePxtc
Xg/pabIY2cuIuasK6418IXY=
=hmGn
-----END PGP SIGNATURE-----

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux