A few permission problems

Nicklas Norling exinor at exinor.net
Sat Jul 16 13:28:53 UTC 2005 

Hi.

I've got a system updated from old redhat releases to FC2-3 and now 4.
I've just downloaded selinux-policy-targeted and have been able to fix 
most of
my problems with setsebool etc. while in permissive mode. However a few more
difficult issues still intrigues me and I'd love it if someone would 
offer some help.

First:
[root at spock ~]# audit2allow -i /var/log/messages -l
allow dovecot_auth_t selinux_config_t:file { getattr read };
allow httpd_sys_script_t var_t:dir getattr;
allow named_t unconfined_t:fifo_file read;
allow smbd_t selinux_config_t:dir search;
allow smbd_t selinux_config_t:file { getattr read };
allow webalizer_t home_root_t:dir search;
allow webalizer_t user_home_dir_t:dir search;


The dovecot-auth problem seems to occur with every new connection to 
dovecot:

Jul 16 14:00:16 spock kernel: audit(1121515216.305:122): avc:  denied  { 
read } for  pid=21686 comm="dovecot-auth" name="config" dev=hda3 
ino=394549 scontext=root:system_r:dovecot_auth_t 
tcontext=system_u:object_r:selinux_config_t tclass=file
Jul 16 14:00:16 spock kernel: audit(1121515216.305:123): avc:  denied  { 
getattr } for  pid=21686 comm="dovecot-auth" name="config" dev=hda3 
ino=394549 scontext=root:system_r:dovecot_auth_t 
tcontext=system_u:object_r:selinux_config_t tclass=file


The httpd problem appears to be python related. Not sure which of my web 
applications is triggering it
(if any). Maybe MoinMoin Wiki but I can't seem to trigger it myself, 
maybe a search spider is triggering it.

Jul 16 02:00:54 spock kernel: audit(1121472054.557:119): avc:  denied  { 
getattr } for  pid=20378 comm="python" name="var" dev=hda3 ino=163841 
scontext=root:system_r:httpd_sys_script_t 
tcontext=system_u:object_r:var_t tclass=dir


named is denied some fun?

Jul 14 15:39:10 spock named[1771]: exiting
Jul 14 15:39:12 spock kernel: audit(1121348352.535:98): avc:  denied  { 
read } for  pid=16108 comm="named-checkconf" name
="[196624]" dev=pipefs ino=196624 scontext=root:system_r:named_t 
tcontext=root:system_r:unconfined_t tclass=fifo_file
Jul 14 15:39:12 spock named[16110]: starting BIND 9.3.1 -u named


Samba appears to wan't to read in the selinux config file? Every access 
to a home directory triggers this despite the correct sebool is set.

Jul 15 02:43:18 spock kernel: audit(1121388198.077:104): avc:  denied  { 
search } for  pid=17122 comm="smbd" name="selinu
x" dev=hda3 ino=394114 scontext=system_u:system_r:smbd_t 
tcontext=system_u:object_r:selinux_config_t tclass=dir
Jul 15 02:43:18 spock kernel: audit(1121388198.077:105): avc:  denied  { 
read } for  pid=17122 comm="smbd" name="config"
dev=hda3 ino=394549 scontext=system_u:system_r:smbd_t 
tcontext=system_u:object_r:selinux_config_t tclass=file
Jul 15 02:43:18 spock kernel: audit(1121388198.078:106): avc:  denied  { 
getattr } for  pid=17122 comm="smbd" name="config" dev=hda3 ino=394549 
scontext=system_u:system_r:smbd_t 
tcontext=system_u:object_r:selinux_config_t tclass=file


webalizer is being asked to put it's resulting webpages into a local 
users web directory in support of per user usage stat. The users 
webfolder has the correct objects set for httpd security.

Jul 11 04:02:17 spock kernel: audit(1121047337.762:57): avc:  denied  { 
search } for  pid=3409 comm="webalizer" name="home" dev=hda3 ino=819203 
scontext=system_u:system_r:webalizer_t 
tcontext=system_u:object_r:home_root_t tclass=dir
Jul 11 04:02:17 spock kernel: audit(1121047337.762:58): avc:  denied  { 
search } for  pid=3409 comm="webalizer" name="joakim" dev=hda3 
ino=458781 scontext=system_u:system_r:webalizer_t 
tcontext=user_u:object_r:user_home_dir_t tclass=dir


In addition to this I have a shared folder with 'public' material, files 
that I offer to for download/upload. This folder is shared to my users 
with ftp as well as samba. Is this even possible to do with selinux?

Jul 16 15:24:31 spock kernel: audit(1121520271.993:127): avc:  denied  { 
search } for  pid=21818 comm="smbd" name="/" dev=hdc1 ino=2 
scontext=system_u:system_r:smbd_t tcontext=system_u:object_r:ftpd_anon_t 
tclass=dir
Jul 16 15:24:32 spock kernel: audit(1121520272.060:128): avc:  denied  { 
getattr } for  pid=21818 comm="smbd" name="pub" dev=hdc1 ino=32769 
scontext=system_u:system_r:smbd_t tcontext=system_u:object_r:ftpd_anon_t 
tclass=dir
Jul 16 15:24:32 spock kernel: audit(1121520272.156:129): avc:  denied  { 
read } for  pid=21818 comm="smbd" name="pub" dev=hdc1 ino=32769 
scontext=system_u:system_r:smbd_t tcontext=system_u:object_r:ftpd_anon_t 
tclass=dir

audit2allow suggests:
allow smbd_t ftpd_anon_t:dir { getattr read search };

Greatful for any tips, hoping to enforce soon!
/Nicke

More information about the fedora-selinux-list mailing list