How to modify the policy?
Daniel J Walsh
dwalsh at redhat.com
Thu Apr 14 18:29:29 UTC 2005
Hongwei Li wrote:
>Hi,
>
>I have a fc3 linux (kernel 2.6.10-1.770_FC3) with selinux enforced,
>targeted policy 1.17.30-2.96. I try to use squirrelmail's plugin
>change_passwd, but got denied. The system log shows:
>
>Apr 14 09:42:59 pippo kernel: audit(1113489779.011:0): avc: denied {
>search } for pid=13211 exe=/bin/bash name=src dev=hda6 ino=425174
>scontext=root:system_r:httpd_sys_script_t tcontext=system_u:object_r:src_t
>tclass=dir
>Apr 14 09:42:59 pippo kernel: audit(1113489779.012:0): avc: denied {
>setuid } for pid=13211 exe=/usr/bin/chpasswd capability=7
>scontext=root:system_r:httpd_sys_script_t
>tcontext=root:system_r:httpd_sys_script_t tclass=capability
>
>I can use that plugin's command in ssh console, but just not from the web.
> Should I change the targeted policy to make it working? If yes, how to
>modify the policy?
>
>Thanks a lot!
>
>Hongwei Li
>
>--
>fedora-selinux-list mailing list
>fedora-selinux-list at redhat.com
>http://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
>
The only way to do this currently is to install
selinux-policy-targeted-sources.
Then you can edit apache rules to allow this priv. The problem with
this is priv is that
it will allow Any cgi script to execute setuid applications. The best
solution would be
to write policy for change_passwd and then have a domain transfer to
this application.
--
More information about the fedora-selinux-list
mailing list