Hi, I was wondering if anyone has information or can direct me to more details on the following: I have been using a perl cgi script on a personal web-server of mine to control access to SSH. Essentially, it is a knock-knock system. I would go to a specific URL with the cgi, enter some information, and the perl script would add my ip address to the allowed list for SSH in the fire-wall. I have been working on learning the details with SElinux, and trying to come up with some rules to allow the script to work correctly. There appears to be some kind of conflict either related to the script itself, or being run through httpd and getting access to the IPTables command tools. The CGI script (written in perl) is SUID root. Httpd runs the script. The script will run the iptables command line tools to examine the table (to see if the ip address is already allowed), and also to add a new ip address to the allowed list. My current method of trying to create the appropriate policy is to continue testing the cgi-script, watching the audit log, and running audit2allow on the selected audit messages. My current policy is: ... require { type modules_conf_t; type modules_dep_t; type sysctl_modprobe_t; type boot_t; type httpd_sys_script_t; type modules_object_t; class capability net_raw; class dir { getattr search }; class file { read getattr }; class rawip_socket { getopt create }; } #============= httpd_sys_script_t ============== allow httpd_sys_script_t boot_t:dir getattr; allow httpd_sys_script_t modules_conf_t:file { read getattr }; allow httpd_sys_script_t modules_dep_t:file read; allow httpd_sys_script_t modules_object_t:dir search; allow httpd_sys_script_t self:capability net_raw; allow httpd_sys_script_t self:rawip_socket { getopt create }; ... So, my question boils down to this: (I'm running Fedora Core 7) Do I just continue running the audit2allow repeatedly to create a policy to do what I want? Is there a better way to solve this problem? I am concerned that just creating a policy to allow my script to run will create other more substantial holes. I am also open to creating a tool to update my iptables some other way. Maybe perl-cgi is not the best method? Thanks in advance for any information! - Paul -- Paul McAvoy <paulmcav@xxxxxxxxx> http://www.queda.net -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list