-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 03/14/2013 11:23 AM, Jean-David Beyer wrote: > On 03/14/2013 10:50 AM, m.roth@xxxxxxxxx wrote: >> CentOS 6.4 (probably not the current kernel) selinux-policy, >> selinux-policy-targetd 3.7.19-155.el6_3.14 >> >> And we're running SiteMinder from CA (and have *zero* control over that, >> don't get me started) >> >> unconfined_u:system_r:httpd_t:s0 apache <...> LLAWP >> /etc/httpd/conf/WebAgent.conf -APACHE22 apache root >> unconfined_u:object_r:httpd_log_t:s0 /var/log/httpd/agent.log >> >> So, why would I get AVCs, and running them through audit2allow gives me: >> #============= httpd_t ============== allow httpd_t httpd_log_t:file >> write; >> >> Why on earth can't something running as httpd_t write to a logfile of >> httpd_log_t in /var/log/httpd/? >> We are blocking write and allowing append. Which works for most situations. In this case you probably should add the rule. Write means a hacker could truncate the logs while append means he could only append to the end. >> And then there's this... >> >> #============= setroubleshootd_t ============== allow setroubleshootd_t >> httpd_sys_script_t:dir read; allow setroubleshootd_t >> httpd_sys_script_t:file getattr; >> >> Shouldn't setroubleshootd have rights? >> >> mark > This is strange, I would be surprised with this one, could you send the avc's. This is just setroublshootd_t looking at the process state. > My comment may be unhelpful because I do not even run apache, but I do run > Red Hat Enterprise Linux Server release 6.4 (Santiago) that is surely up to > date as of yesterday. My kernel is kernel-2.6.32-358.0.1.el6.x86_64 > > Although I just received a new one: kernel-2.6.32-358.2.1.el6.x86_64 > > I run with SELinux enabled in enforcing mode > > But what I notice is this: > > $ rpm -qa | grep selinux selinux-policy-targeted-3.7.19-195.el6_4.3.noarch > libselinux-2.0.94-5.3.el6.i686 libselinux-utils-2.0.94-5.3.el6.x86_64 > libselinux-python-2.0.94-5.3.el6.x86_64 > selinux-policy-3.7.19-195.el6_4.3.noarch libselinux-2.0.94-5.3.el6.x86_64 > > I have no selinux-policy-targetd package installed. > > And no such file on my machine: > > > $ locate selinux-policy-targetd $ > That is a typo. selinux-policy-targeted-3.7.19-195.el6_4.3.noarch > Is this a package you had to load to get apache to work? Or are CentOS 6.4 > and Red Hat Enterprise Linux 6.4 that different? > > -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlFCFgAACgkQrlYvE4MpobNaiQCfW0h0KZkkUkBUQE4teZE7tKn4 xp4AoJgsWuM0n7IDgPpyYQI4HpuUbjIy =PXot -----END PGP SIGNATURE----- -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
