On Fri, 2009-03-20 at 23:12 +0000, Aaron Gray wrote: > > On Fri, 2009-03-20 at 20:14 +0000, Aaron Gray wrote: > >> I am trying to audit2allow on F10 to allow a cgi-bin perl script to run > >> on > >> Apache. Runs fine in permissive mode not in enforcing. > >> > >> I bought the O'Reilly SE Linux book and learned the basics but it does > >> not > >> really seem to help me on Fedora. > >> > >> there was no /var/log/kernel so I tried /var/log/secure with the > >> following > >> command sequence > >> > >> setenforce 0 > >> > >> # access the cgi from the web > >> > >> setenforce 1 > >> > >> audit2allow -l -i /var/log/secure > >> > >> What is strange also is the system is not flagging things up as a > >> notification icon anymore in enforcing mode. > >> > >> If someone could guide me or push me in the right direction I would be > >> most > >> thankful. > > auditd logs to /var/log/audit/audit.log > > > > To use cgi you must set the boolean httpd_enable_cgi. > > Great GIT on Apache running now !:) Thanks > > But not accessing the repositories, looks like a script is needed. > > > Then either label the cgi type httpd_sys_script_exec_t or create a > > custom domain for your script: > > > > mkdir myscript; cd myscript; > > echo "policy_module(myscript, 0.0.1)" > myscript.te > > echo "apache_content_template(myscript)" >> myscript.te > > echo "/var/www/cgi-bin/myscript.pl -- > > gen_context(system_u:object_r:httpd_myscript_script_exec_t, s0)" > > > myscript.fc > > > > make -f /usr/share/selinux/devel/Makefile > > semodule -i myscript.pp > > restorecon -R -v /var/www/cgi-bin/myscript.pl > > This is interesting. command line, thanks, interesting I will have to learn > this stuff on the command line to understand it properly. > > > This is just a base module you will likely need to extend it. you can do > > so why making the httpd_myscript_script_t permissive and then extend > > your source policy with any rules required frpm audit.log/audit2why > > > > semanage permissive -a httpd_myscript_script_t > > Nice :) > > > ausearch -m avc -ts today | grep httpd_myscript_script_t | audit2allow > > -R >> myscript.te; make -f /usr/share/selinux/devel/Makefile; semodule > > -i myscript.pp > > This might just do the job ! > > > semanage permissive -d httpd_myscript_script_t > > > > (to remove the permissive domain) > > Is there any reason not to be using setenforce 0/1, on a machine behind > firewall. What makes you think that the security threat only comes from the network? There might be a rogue program local to the system, and if you setenforce 0 , you allow everything. not what i would want. by using semanage permissive -a <domain> you only allow a specific domain to run in permissive mode. This minimizes the risks and it conforms to SELinux least privilege philosophy. > I will try this. Looks like theres a need of a good howto that shows how > simple these things can be. > > Many thanks Dominick > > Aaron > -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
