SELinux... a never ending story!

Daniel J Walsh dwalsh at redhat.com
Fri Dec 17 21:47:34 UTC 2004 

Giuseppe Greco wrote:

>Joe,
>
>I've modified line 66 in ssl.conf like this:
>
>  SSLMutex default (instead of SSLMutex file:logs/ssl_mutex)
>
>Now I'm able to send emails via squirrelmail, but SELinux is
>still complying:
>
>  audit(1103287307.997:0): avc: denied { search } for pid 7286
>    exe=/bin/bash name=httpd dev=dm-0 ino=65076
>    scontext=root:system_r:httpd_sys_script_t
>    tcontext=system_u:object_r:httpd_config_t tclass=dir
>
>  
>
Ok we can probably don't audit this.

>I've installed squirrelmail via yum... and then added the
>change-password plugin from its official web site. Of course,
>to get the change-password plugin working, I had also to
>compile and install poppassd (but I don't think this is the
>problem).
>
>j3d.
>
>On Fri, 2004-12-17 at 13:42 +0100, Giuseppe Greco wrote:
>  
>
>>Joe,
>>
>>here's may ssl.conf... I hope this helps.
>>j3d.
>>
>>On Fri, 2004-12-17 at 09:55 +0000, Joe Orton wrote:
>>    
>>
>>>On Thu, Dec 16, 2004 at 10:50:56PM -0500, Daniel J Walsh wrote:
>>>      
>>>
>>>>Giuseppe Greco wrote:
>>>>        
>>>>
>>>>>done... and now I get
>>>>>
>>>>>audit(1103229440.677.0): avc: denied { unlink } for pid=2671
>>>>>exe=/usr/sbin/httpd name=ssl_mutex.2670 dev=dm-6 ino=192037
>>>>>scontext=root:system_r:httpd_t tcontext=root:object_r:httpd_log_t
>>>>>tclass=fi
>>>>>          
>>>>>
>>>Giuseppe, can you post your /etc/httpd/conf.d/ssl.conf?  This shouldn't
>>>happen in the default mod_ssl configuration.
>>>
>>>      
>>>
>>>>ugh,
>>>>
>>>>Where is this mutex file being created?  In the log dir?  The probem
>>>>with this is it allows a hacker to unlink all the log files, if I
>>>>allow this rule.
>>>>        
>>>>
>>>mod_ssl (and various other bits of httpd) can be configured to use
>>>various types of semaphore: these will all be SysV semaphores in the
>>>default configuration, but in non-default configurations, can be files
>>>with fcntl locking.  So the rule shouldn't be needed by default, I'm
>>>confused why people are seeing this.
>>>
>>>joe
>>>
>>>
>>>--
>>>fedora-selinux-list mailing list
>>>fedora-selinux-list at redhat.com
>>>http://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>>      
>>>
>>--
>>fedora-selinux-list mailing list
>>fedora-selinux-list at redhat.com
>>http://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>    
>>

More information about the fedora-selinux-list mailing list