Re: awstats AVC denial

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sat, 2009-02-07 at 06:21 -0800, Vadym Chepkov wrote:

> The question is, why? Thank you.

hi, pipe the avc denials in to the input stream of audit2why:

sh-4.0# echo "avc:  denied  { read } for  pid=32656 comm="awstats.pl"
name="awstats" dev=sda1 ino=704533
scontext=system_u:system_r:httpd_sys_script_t:s0
tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=dir" |
audit2why
avc:  denied  { read } for  pid=32656 comm=awstats.pl name=awstats
dev=sda1 ino=704533 scontext=system_u:system_r:httpd_sys_script_t:s0
tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=dir

	Was caused by:
		Unknown - would be allowed by active policy
		Possible mismatch between this policy and the one under which the
audit message was generated.

		Possible mismatch between current in-memory boolean settings vs.
permanent ones.

also see sesearch:

sh-4.0# sesearch --allow -s httpd_sys_script_t -t httpd_sys_content_t -c
dir -p read
Found 2 semantic av rules:
   allow httpd_sys_script_t httpd_sys_content_t : dir { ioctl read
getattr lock search open } ; 
   allow httpd_sys_script_t httpd_sys_content_t : dir { ioctl read write
getattr lock add_name remove_name search open } ; 


this may or my not be a bug in policy.

hth , Dominick

> Sincerely yours,
>   Vadym Chepkov
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux