-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Ludman Tamás wrote:
> Hi all,
> sorry my bad english, I hope you understant my problem.
> I would like to use Squirrelmail's plugin: quota_check, but SELinux
> don't allowed this...
> "...disk quota plugin: Uses the *nix quota binary as wwwquota to get
> information about and show the disk quota usage of the user logged in.
> It incorporates Flash movies to display more attractive and interactive
> information. ..."
>
>
> I tried these:
> [root@modules]# cat /var/log/audit/audit.log | audit2allow -m local > local
> [root@modules]# checkmodule -M -m -o local.mod local.te
> checkmodule: loading policy configuration from local.te
> checkmodule: policy configuration loaded
> checkmodule: writing binary representation (version 6) to local.mod
> [root@modules]# semodule_package -o local.pp -m local.mod
> [root@modules]# semodule -i local.pp
> libsepol.check_assertion_helper: assertion on line 0 violated by allow
> httpd_t s
> libsepol.check_assertions: 1 assertion violations occured
> libsemanage.semanage_expand_sandbox: Expand module failed
>
> and I tried with another, but the result is equal than above :
> # make -f /usr/share/selinux/devel/Makefile
> # semodule -i local.pp
>
> ______________________________________________
> in my audit.log:
> ....
>
> type=AVC msg=audit(1189681628.573:13563): avc: denied { read } for
> pid=31798 comm="sudo" name="shadow" dev=md8 ino=1949004
> scontext=system_u:system_r:httpd_t:s0
> tcontext=system_u:object_r:shadow_t:s0 tclass=file
> type=AVC msg=audit(1189681628.573:13564): avc: denied { write } for
> pid=31798 comm="sudo" name="log" dev=tmpfs ino=11165
> scontext=system_u:system_r:httpd_t:s0
> tcontext=system_u:object_r:device_t:s0 tclass=sock_file
> type=AVC msg=audit(1189681697.332:13578): avc: denied { read } for
> pid=31845 comm="sudo" name="shadow" dev=md8 ino=1949004
> scontext=system_u:system_r:httpd_t:s0
> tcontext=system_u:object_r:shadow_t:s0 tclass=file
> type=AVC msg=audit(1189681697.332:13579): avc: denied { getattr } for
> pid=31845 comm="sudo" name="shadow" dev=md8 ino=1949004
> scontext=system_u:system_r:httpd_t:s0
> tcontext=system_u:object_r:shadow_t:s0 tclass=file
> type=AVC msg=audit(1189681697.334:13580): avc: denied { write } for
> pid=31845 comm="sudo" name="log" dev=tmpfs ino=11165
> scontext=system_u:system_r:httpd_t:s0
> tcontext=system_u:object_r:device_t:s0 tclass=sock_file
> type=AVC msg=audit(1189681697.334:13580): avc: denied { sendto } for
> pid=31845 comm="sudo" name="log" scontext=system_u:system_r:httpd_t:s0
> tcontext=system_u:system_r:initrc_t:s0 tclass=unix_dgram_socket
> type=AVC msg=audit(1189681704.450:13587): avc: denied { read } for
> pid=31858 comm="sudo" name="shadow" dev=md8 ino=1949004
> scontext=system_u:system_r:httpd_t:s0
> tcontext=system_u:object_r:shadow_t:s0 tclass=file
> type=AVC msg=audit(1189681704.450:13588): avc: denied { getattr } for
> pid=31858 comm="sudo" name="shadow" dev=md8 ino=1949004
> scontext=system_u:system_r:httpd_t:s0
> tcontext=system_u:object_r:shadow_t:s0 tclass=file
> type=AVC msg=audit(1189681776.487:13607): avc: denied { search } for
> pid=31945 comm="wwwquota" scontext=system_u:system_r:httpd_t:s0
> tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=dir
> type=AVC msg=audit(1189681776.489:13608): avc: denied { getattr } for
> pid=31945 comm="wwwquota" name="md6" dev=tmpfs ino=7380
> scontext=system_u:system_r:httpd_t:s0
> tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file
> type=AVC msg=audit(1189681776.490:13609): avc: denied { quotaget }
> for pid=31945 comm="wwwquota" scontext=system_u:system_r:httpd_t:s0
> tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
> type=AVC msg=audit(1189681826.629:13630): avc: denied { search } for
> pid=31975 comm="wwwquota" scontext=system_u:system_r:httpd_t:s0
> tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=dir
> type=AVC msg=audit(1189681826.631:13631): avc: denied { getattr } for
> pid=31975 comm="wwwquota" name="md6" dev=tmpfs ino=7380
> scontext=system_u:system_r:httpd_t:s0
> tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file
> type=AVC msg=audit(1189681826.632:13632): avc: denied { quotaget }
> for pid=31975 comm="wwwquota" scontext=system_u:system_r:httpd_t:s0
> tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
>
> .....
> ______________________________________________
>
> in my /etc/sudoers:
> ...
> apache ALL=NOPASSWD: /usr/bin/wwwquota -v [A-z]*
> ...
> ______________________________________________
> in my /etc/selinux/config:
>
> SELINUX=enforcing
> SELINUXTYPE=targeted
> SETLOCALDEFS=0
> ______________________________________________
>
> My system is:
> Fedora Core 6, kernel 2.6.22.2-42.fc6
> libselinux.i386 1.33.4-2.fc6
> libselinux-devel.i386 1.33.4-2.fc6
> selinux-policy.noarch 2.4.6-80.fc6
> selinux-policy-devel.noarch 2.4.6-80.fc6
> selinux-policy-mls.noarch 2.4.6-80.fc6
> selinux-policy-strict.noarch 2.4.6-80.fc6
> selinux-policy-targeted.noarch 2.4.6-80.fc6
>
> What can I do?
>
> Thanx a lot, everybody.
>
> LT
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
The policy compiler is blocking you from reading shadow_t.
Read this weeks blog
http://danwalsh.livejournal.com/12333.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iD8DBQFG7uvGrlYvE4MpobMRAs6LAJ9P1fvq6pYQYuBt364WvXWfHFMMswCg0DsN
RekIfR2lfunBjjDSAfyLoOo=
=TlPz
-----END PGP SIGNATURE-----
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
