[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: How to modify the policy?



Hongwei Li wrote:

Hongwei Li wrote:



Hi,

I have a fc3 linux (kernel 2.6.10-1.770_FC3) with selinux enforced,
targeted policy 1.17.30-2.96.  I try to use squirrelmail's plugin
change_passwd, but got denied.  The system log shows:

Apr 14 09:42:59 pippo kernel: audit(1113489779.011:0): avc:  denied  {
search } for  pid=13211 exe=/bin/bash name=src dev=hda6 ino=425174
scontext=root:system_r:httpd_sys_script_t
tcontext=system_u:object_r:src_t
tclass=dir
Apr 14 09:42:59 pippo kernel: audit(1113489779.012:0): avc:  denied  {
setuid } for  pid=13211 exe=/usr/bin/chpasswd capability=7
scontext=root:system_r:httpd_sys_script_t
tcontext=root:system_r:httpd_sys_script_t tclass=capability

I can use that plugin's command in ssh console, but just not from the
web.
Should I change the targeted policy to make it working?  If yes, how to
modify the policy?

Thanks a lot!

Hongwei Li

--
fedora-selinux-list mailing list
fedora-selinux-list redhat com
http://www.redhat.com/mailman/listinfo/fedora-selinux-list




The only way to do this currently is to install
selinux-policy-targeted-sources.

Then you can edit apache rules to allow this priv.  The problem with
this is priv is that
it will allow Any cgi script to execute setuid applications.   The best
solution would be
to write policy for change_passwd and then have a domain transfer to
this application.

--




I am new to selinux, especially for policy editing/writing. Could you please tell me how to do it in each way (I have installed the sources):

1. how to edit apache rules to allow this priv?


Simple fix is to edit /etc/selinux/targeted/src/policy/domains/program/apache.te
Add
allow httpd_sys_script_t self:capability setuid;
allow httpd_sys_script_t src_t:dir search;


2. how to write a policy for change_passwd and then have a domain transfer
to it?


A better solution would be to create a new policy file
/etc/selinux/targeted/src/policy/domains/program/chpasswd.te
and  a new policy file context file
/etc/selinux/targeted/src/policy/file_context/program/chpasswd.fc

You might want to look at the passwd.te file from strict policy as an example.

Another option might be to just relabel this policy as httpd_unconfined_script_t since allowing
sys_script to run chpasswd is pretty dangerous. And can circumvent most SELinux controls.



I appreciate your help!

Hongwei

--
fedora-selinux-list mailing list
fedora-selinux-list redhat com
http://www.redhat.com/mailman/listinfo/fedora-selinux-list




--



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]