Re: Newbie Q

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Fri, 2009-03-20 at 20:14 +0000, Aaron Gray wrote:
I am trying to audit2allow on F10 to allow a cgi-bin perl script to run on 
Apache. Runs fine in permissive mode not in enforcing.
I bought the O'Reilly SE Linux book and learned the basics but it does not 
really seem to help me on Fedora.
there was no /var/log/kernel so I tried /var/log/secure with the following 
command sequence

    setenforce 0

    # access the cgi from the web

    setenforce 1

    audit2allow -l -i /var/log/secure

What is strange also is the system is not flagging things up as a
notification icon anymore in enforcing mode.
If someone could guide me or push me in the right direction I would be most 
thankful.

auditd logs to /var/log/audit/audit.log

To use cgi you must set the boolean httpd_enable_cgi.


Great GIT on Apache running now !:) Thanks

But not accessing the repositories, looks like a script is needed.


Then either label the cgi type httpd_sys_script_exec_t or create a
custom domain for your script:

mkdir myscript; cd myscript;
echo "policy_module(myscript, 0.0.1)" > myscript.te
echo "apache_content_template(myscript)" >> myscript.te
echo "/var/www/cgi-bin/myscript.pl --
gen_context(system_u:object_r:httpd_myscript_script_exec_t, s0)" >
myscript.fc

make -f /usr/share/selinux/devel/Makefile
semodule -i myscript.pp
restorecon -R -v /var/www/cgi-bin/myscript.pl
This is interesting. command line, thanks, interesting I will have to learn this stuff on the command line to understand it properly. 


This is just a base module you will likely need to extend it. you can do
so why making the httpd_myscript_script_t permissive and then extend
your source policy with any rules required frpm audit.log/audit2why

semanage permissive -a httpd_myscript_script_t


Nice :)


ausearch -m avc -ts today | grep httpd_myscript_script_t | audit2allow
-R >> myscript.te; make -f /usr/share/selinux/devel/Makefile; semodule
-i myscript.pp


This might just do the job !


semanage permissive -d httpd_myscript_script_t

(to remove the permissive domain)
Is there any reason not to be using setenforce 0/1, on a machine behind firewall.
I will try this. Looks like theres a need of a good howto that shows how simple these things can be. 

Many thanks Dominick

Aaron

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux