[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: targeted policy and apache(?)



On Thu, 2005-04-21 at 10:02 -0700, Ben wrote:
> I'm seeing avc errors, and it's pretty unclear to me what's causing them. 
> What's being complained about, here? 
> 
> 1 Time(s): audit(1113980474.264:0): avc:  denied  { search } for  pid=7148 
> exe=/bin/bash name=log dev=md0 ino=3260417
> scontext=root:system_r:httpd_sys_script_t 
> tcontext=system_u:object_r:var_log_t tclass=dir
> 
> 
> I would guess that some script is trying to list a log directory on
> /dev/md0, but that's about all I can guess from this and it doesn't help
> me track it down to a useful level anyway.

Not list, just perform a lookup, e.g a CGI script is attempting to
access something under /var/log (requiring search access to the log
directory), and this is denied in the policy.  Note that you can
sometimes get more information by enabling system call auditing, e.g.
use auditctl -e 1 or boot your kernel with audit=1; the audit framework
will then output a separate syscall audit record upon syscall exit after
any such avc messages with the relevant syscall and arguments.

Likely your script wants to append to log files under /var/log/httpd.
Looks like the current policy allows httpd itself to do this, but not
CGI scripts.

-- 
Stephen Smalley <sds tycho nsa gov>
National Security Agency


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]