On Sat, 2009-02-07 at 06:21 -0800, Vadym Chepkov wrote:
> The question is, why? Thank you.
hi, pipe the avc denials in to the input stream of audit2why:
sh-4.0# echo "avc: denied { read } for pid=32656 comm="awstats.pl"
name="awstats" dev=sda1 ino=704533
scontext=system_u:system_r:httpd_sys_script_t:s0
tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=dir" |
audit2why
avc: denied { read } for pid=32656 comm=awstats.pl name=awstats
dev=sda1 ino=704533 scontext=system_u:system_r:httpd_sys_script_t:s0
tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=dir
Was caused by:
Unknown - would be allowed by active policy
Possible mismatch between this policy and the one under which the
audit message was generated.
Possible mismatch between current in-memory boolean settings vs.
permanent ones.
also see sesearch:
sh-4.0# sesearch --allow -s httpd_sys_script_t -t httpd_sys_content_t -c
dir -p read
Found 2 semantic av rules:
allow httpd_sys_script_t httpd_sys_content_t : dir { ioctl read
getattr lock search open } ;
allow httpd_sys_script_t httpd_sys_content_t : dir { ioctl read write
getattr lock add_name remove_name search open } ;
this may or my not be a bug in policy.
hth , Dominick
> Sincerely yours,
> Vadym Chepkov
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
