SELinux... a never ending story!

Giuseppe Greco giuseppe.greco at agamura.com
Fri Dec 17 12:59:14 UTC 2004 

Joe,

I've modified line 66 in ssl.conf like this:

  SSLMutex default (instead of SSLMutex file:logs/ssl_mutex)

Now I'm able to send emails via squirrelmail, but SELinux is
still complying:

  audit(1103287307.997:0): avc: denied { search } for pid 7286
    exe=/bin/bash name=httpd dev=dm-0 ino=65076
    scontext=root:system_r:httpd_sys_script_t
    tcontext=system_u:object_r:httpd_config_t tclass=dir

I've installed squirrelmail via yum... and then added the
change-password plugin from its official web site. Of course,
to get the change-password plugin working, I had also to
compile and install poppassd (but I don't think this is the
problem).

j3d.

On Fri, 2004-12-17 at 13:42 +0100, Giuseppe Greco wrote:
> Joe,
> 
> here's may ssl.conf... I hope this helps.
> j3d.
> 
> On Fri, 2004-12-17 at 09:55 +0000, Joe Orton wrote:
> > On Thu, Dec 16, 2004 at 10:50:56PM -0500, Daniel J Walsh wrote:
> > > Giuseppe Greco wrote:
> > > >done... and now I get
> > > >
> > > >audit(1103229440.677.0): avc: denied { unlink } for pid=2671
> > > > exe=/usr/sbin/httpd name=ssl_mutex.2670 dev=dm-6 ino=192037
> > > > scontext=root:system_r:httpd_t tcontext=root:object_r:httpd_log_t
> > > > tclass=file
> > 
> > Giuseppe, can you post your /etc/httpd/conf.d/ssl.conf?  This shouldn't
> > happen in the default mod_ssl configuration.
> > 
> > > ugh,
> > > 
> > > Where is this mutex file being created?  In the log dir?  The probem
> > > with this is it allows a hacker to unlink all the log files, if I
> > > allow this rule.
> > 
> > mod_ssl (and various other bits of httpd) can be configured to use
> > various types of semaphore: these will all be SysV semaphores in the
> > default configuration, but in non-default configurations, can be files
> > with fcntl locking.  So the rule shouldn't be needed by default, I'm
> > confused why people are seeing this.
> > 
> > joe
> > 
> > 
> > --
> > fedora-selinux-list mailing list
> > fedora-selinux-list at redhat.com
> > http://www.redhat.com/mailman/listinfo/fedora-selinux-list
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> http://www.redhat.com/mailman/listinfo/fedora-selinux-list
-- 
----------------------------------------
Giuseppe Greco

::agamura::

phone:  +41 (0)91 604 67 65
mobile: +41 (0)79 602 99 27
email:  giuseppe.greco at agamura.com
web:    www.agamura.com
----------------------------------------

More information about the fedora-selinux-list mailing list