Horde Application Suite and SELinux...

[Tom Lisjac]

On Tue, 22 Feb 2005 17:12:20 -0500, Colin Walters <walters at redhat.com> wrote:
> On Tue, 2005-02-22 at 14:14 -0700, Tom Lisjac wrote:

Thanks for the reply.

> >...so aspell runs but doesn't return any results. If I
> >disable SELinux, it works fine... but since this server will be
> >running in a hostile environment, I'd rather not.  I could also add:
> >
> >allow httpd_sys_script_t httpd_tmp_t:file { getattr read };
> 
> Hmmm.  httpd_tmp_t is the type of temporary files generated by the main
> webserver, not by CGI scripts.  Perhaps what's happening is you have
> some PHP code which is using aspell and creating a temporary file in the
> main httpd process, and then a CGI script wants to read that later?

I was under the impression that mod_php and the webserver ran in the
same context... so I'm not sure I understand the distinction SELinux
would make between the server and the script.

Here's the avc that is generated. Apparently the write did occur and
this was an attempt by the script to read the spellchecked file back.

avc:  denied  { getattr } for  pid=32122 exe=/usr/bin/aspell
path=/tmp/spellkQimNQ dev=hda2 ino=326408
scontext=root:system_r:httpd_sys_script_t
tcontext=root:object_r:httpd_tmp_t tclass=file

I'm curious why the targeted policy allows the write but blocks reads from /tmp?

In any case, it appears that I should make the exception and allow the
read. I made a huge mess when I started hacking the policy sources in
FC2... is there a document or howto somewhere that describes the
correct way to add a exception that will survive an rpm policy update?

Thanks,

-Tom