Selinux Apache avc denied
Alain Reguera Delgado
al4in at jagua.cfg.sld.cu
Sat Aug 6 21:28:24 UTC 2005
On Mon, 2005-08-01 at 12:39 -0400, Daniel J Walsh wrote:
> Colin Walters wrote:
>
> >On Fri, 2005-07-29 at 23:56 -0400, Valdis.Kletnieks at vt.edu wrote:
> >
> >
> >>On Fri, 29 Jul 2005 23:32:01 EDT, Alain Reguera Delgado said:
> >>
> >>
> >>
> >>>I've been stopped the web development. I feel selinux is a brilliant
> >>>technology I'd like to implement in my webserver.
> >>>
> >>>
> >>Actually, you have that almost totally backwards - SELinux is a brilliant
> >>technology that gets implemented in the kernel
> >>
> >>
> >
> >One of the good things about SELinux actually is that it covers more
> >than the kernel; e.g. dbus acts as a "userspace object manager" in
> >concert with the kernel to secure the whole system. Similarly, there
> >are patches for Xorg. I think it does make sense in some situations to
> >patch the webserver.
> >
> >
> >
> >>Unfortunately, this is *much* too big a can of worms to solve directly - it
> >>would be technically possible to just add a rule that says 'httpd_t can
> >>exec shell_exec_t' - but that would be a *really* *bad* idea because then
> >>any exploit could get a shell (and exec_no_trans only partially minimizes
> >>the problem).
> >>
> >>
> >
> >I don't see a problem with execute_no_trans; it stays within the httpd_t
> >security domain.
> >
> >
> >
> >>Policy Gurus: How big a hole would adding a 'can_exec(sendmail_exec_t)' or
> >>'domain_auto_trans(sendmail_t)' cause? And how many of these common "web interface
> >>wants to send mail" problems would it solve?
> >>
> >>
> >
> >I think policy already has this as httpd_t has the privmail attribute,
> >and policy grants:
> >
> >./macros/program/mta_macros.te:63:domain_auto_trans(privmail, sendmail_exec_t, system_mail_t)
> >
> >My guess is all we need for this problem is:
> >can_exec(httpd_t, shell_exec_t)
> >
> >
> >--
> >fedora-selinux-list mailing list
> >fedora-selinux-list at redhat.com
> >http://www.redhat.com/mailman/listinfo/fedora-selinux-list
> >
> >
> What is the settings of httpd_ssi_exec boolean?
>
> getsebool httpd_ssi_exec
>
> Looks like you need this on to make your sendmail work.
>
> setsebool -P httpd_ssi_exec=1
Daniel, I did what you said, and now all is ok. The application is able
to send mails without problems.
Thanks to all of you for the help solving the problem.
>
> --
>
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> http://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20050806/4478da69/attachment.sig>
More information about the fedora-selinux-list
mailing list