Erinn Looney-Triggs wrote:
>My second question is, I have this policy working on one machine, moved
>it to another machine and everything worked, this application was then
>deployed on a third machine and I figured, I would just insert the
>module again. Well installing the module worked fine but apache is
>trying to use a different type on this machine, from audit2allow:
>
>#============= httpd_sys_script_t ==============
>allow httpd_sys_script_t devpts_t:chr_file { read write };
>allow httpd_sys_script_t httpd_tmp_t:fifo_file setattr;
>allow httpd_sys_script_t self:capability { setuid setgid };
>
>Why all the sudden is this machine using httpd_sys_script_t instead of
>httpd_t which my other systems use? All the boxes are RHEL 5.5 x64
fully
>patched running selinux-policy-2.4.6-279.el5. Now it is possible that
>the myruby.pp module mentioned above is working just fine, but why then
>would this one system need these extra privileges? Exact same codebase
>for the ruby application across the systems. Any insight would be
>appreciated.
Did you get anywhere with this?
Things to check:
Booleans
Types on httpd, ApplicationPoolServerExecutable and other scripts
Other loaded policy modules
Running in httpd_sys_script_t seems more usual than running in httpd_t -
although I'm about to submit an alternative policy module that creates
its own type for the Rails app.
Moray.
"To err is human. To purr, feline"
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
