Op woensdag 04-02-2009 om 13:07 uur [tijdzone -0500], schreef Kevin
White:
> Validate appears to be labeled correctly, so, apparently the problem is
> that httpd can't make the domain transistion.
>
> I really don't know how to allow it to. I'd like to.
In Fedora 10 httpd_t isnt allowed to transition to that domain:
# sesearch --allow -s httpd_t -t chkpwd_exec_t
allow httpd_t @ttr0099 : filesystem getattr ;
allow httpd_t @ttr1747 : file { ioctl read getattr lock execute
execute_no_trans } ;
allow httpd_t chkpwd_exec_t : file { read getattr execute } ;
You might be able to do a transition using:
mkdir ~/myhttpd; cd ~/myhttpd;
echo "policy_module(myhttpd, 0.0.1)" > myhttpd.te;
echo "require { type httpd_t, chkpwd_exec_t, system_chkpwd_t; }" >>
myhttpd.te;
echo "domain_auto_trans(httpd_t, chkpwd_exec_t, system_chkpwd_t)" >>
myhttpd.te;
make -f /usr/share/selinux/devel/Makefile
sudo semodule -i myhttpd.pp
However i do not think this is recommended.
If you really need a transition then i would suggest that you do it to a
designated domain. For example httpd_chkpwd_t, and give that domain only
the access it needs.
This looks like it should somehow be able to transition though:
sh-3.2# sesearch --allow -s httpd_t | grep chkpwd
allow httpd_t system_chkpwd_t : process transition ;
Maybe people with more knowledge on this matter can shed some light on
this.
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
