[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: How to modify the policy?



Hongwei Li wrote:

Hi,

I have a fc3 linux (kernel 2.6.10-1.770_FC3) with selinux enforced,
targeted policy 1.17.30-2.96.  I try to use squirrelmail's plugin
change_passwd, but got denied.  The system log shows:

Apr 14 09:42:59 pippo kernel: audit(1113489779.011:0): avc:  denied  {
search } for  pid=13211 exe=/bin/bash name=src dev=hda6 ino=425174
scontext=root:system_r:httpd_sys_script_t tcontext=system_u:object_r:src_t
tclass=dir
Apr 14 09:42:59 pippo kernel: audit(1113489779.012:0): avc:  denied  {
setuid } for  pid=13211 exe=/usr/bin/chpasswd capability=7
scontext=root:system_r:httpd_sys_script_t
tcontext=root:system_r:httpd_sys_script_t tclass=capability

I can use that plugin's command in ssh console, but just not from the web.
Should I change the targeted policy to make it working?  If yes, how to
modify the policy?

Thanks a lot!

Hongwei Li

--
fedora-selinux-list mailing list
fedora-selinux-list redhat com
http://www.redhat.com/mailman/listinfo/fedora-selinux-list


The only way to do this currently is to install selinux-policy-targeted-sources.

Then you can edit apache rules to allow this priv. The problem with this is priv is that
it will allow Any cgi script to execute setuid applications. The best solution would be
to write policy for change_passwd and then have a domain transfer to this application.


--



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]