<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 11 (filtered medium)">
<style>
<!--
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman";}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:Arial;
color:windowtext;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.25in 1.0in 1.25in;}
div.Section1
{page:Section1;}
-->
</style>
</head>
<body lang=EN-US link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>If someone would be so kind to answer a noob question.
When installing an apache authentication extension called WebAuth (3.5.4), it works
great with selinux disabled (setenforce 0), but turn on enforcement (setenforce
1), bam, cant read/write the necessary files. To selinux, perhaps it looks
like rogue code trying to modify configuration files.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>Files:<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>/etc/httpd/conf/webauth/keytab<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>/etc/httpd/conf/webauth/keyring<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>/etc/httpd/conf/webauth/service_token_cache<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>Messages:<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>audit(1187726388.800:5): avc: denied { write }
for pid=2030 comm="httpd" name="webauth" dev=dm-0
ino=66396 scontext=root:system_r:httpd_t:s0
tcontext=root:object_r:httpd_config_t:s0 tclass=dir<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>audit(1187727527.410:38): avc: denied { read }
for pid=2229 comm="httpd" name="keytab" dev=dm-0
ino=196626 scontext=root:system_r:httpd_t:s0
tcontext=root:object_r:user_home_t:s0 tclass=file<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>audit(1187727527.415:39): avc: denied { read }
for pid=2229 comm="httpd" name="keytab" dev=dm-0
ino=196626 scontext=root:system_r:httpd_t:s0
tcontext=root:object_r:user_home_t:s0 tclass=file<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>audit(1187727527.420:40): avc: denied { write }
for pid=2229 comm="httpd" name="service_token_cache"
dev=dm-0 ino=66426 scontext=root:system_r:httpd_t:s0
tcontext=root:object_r:httpd_config_t:s0 tclass=file<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>audit2allow says<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>“allow httpd_t httpd_config_t:dir write;<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>allow httpd_t httpd_config_t:file write;<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>allow httpd_t user_home_t:file read;”<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>but this seems arbitrarily permissive.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>What would give only access read/write access these three
files? Sorry if this is off-topic.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>Running RHEL 5 (“ES”, 32-bit) patched. RTFM’ed
already: <a
href="http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/selinux-guide/">http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/selinux-guide/</a>
not much help.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'> <o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>Kind Regards,<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>Barry Allard<o:p></o:p></span></font></p>
<p class=MsoNormal><i><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial;font-style:italic'>Systems Administrator<o:p></o:p></span></font></i></p>
<p class=MsoNormal><i><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial;font-style:italic'>Stanford Medical Informatics<o:p></o:p></span></font></i></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>+1.650.723.7270<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
</div>
</body>
</html>