Please review allow rules
Daniel J Walsh
dwalsh at redhat.com
Wed Aug 23 18:29:31 UTC 2006
Charles A. Crayne wrote:
> The following rule were created by audit2allow to enable my server to
> operate denial messages. If some kind sole would glance over them to see
> if they raise any red flags, I would appreciate it.
>
> allow fetchmail_t user_home_t:file { getattr ioctl read };
> allow httpd_sys_script_t user_home_t:dir { getattr read remove_name rmdir
> search write };
> allow httpd_sys_script_t user_home_t:file { append execute
> execute_no_trans getattr ioctl read unlink };
>
This looks like you have a labeling problem on a directory and perhaps
you do not have the correct boolean set for httpd?
getsebool httpd_enable_homedirs
Should be set to 1 if you want apache to be able to read homedirs.
setsebool -P httpd_enable_homedirs=1
> allow httpd_t snmpd_var_lib_t:file { getattr read };
> allow httpd_t system_dbusd_var_run_t:dir { getattr read };
> allow innd_t file_t:file { getattr ioctl read write };
>
This looks like a labeling problem. file_t should never be present on a
system. I would recommend
relabeling
touch /.autorelabel; reboot
> allow innd_t home_root_t:dir search;
> allow innd_t tmp_t:dir search;
> allow innd_t user_home_t:file { getattr read };
> allow procmail_t inaddr_any_node_t:tcp_socket node_bind;
> allow procmail_t innd_etc_t:dir search;
> allow procmail_t innd_etc_t:file read;
> allow procmail_t innd_exec_t:file { execute execute_no_trans read };
> allow procmail_t innd_port_t:tcp_socket name_connect;
> allow procmail_t ls_exec_t:file { execute execute_no_trans getattr read };
> allow procmail_t procmail_exec_t:file execute_no_trans;
> allow procmail_t pyzor_exec_t:file { execute execute_no_trans getattr
> ioctl read };
> allow procmail_t razor_port_t:tcp_socket name_connect;
> allow procmail_t smtp_port_t:tcp_socket name_connect;
> allow procmail_t tmp_t:dir { add_name create read remove_name rmdir search
> write };
> allow procmail_t tmp_t:file { create getattr ioctl read unlink
> write };
> allow procmail_t user_home_t:file { execute execute_no_trans };
> allow spamd_t pyzor_exec_t:file { execute execute_no_trans getattr ioctl
> read };
> allow spamd_t user_home_dir_t:dir read;
> allow spamd_t user_home_dir_t:file { append getattr ioctl read };
>
Do you have the spamd_enable_home_dirs boolean set?
setsebool -P spamd_enable_home_dirs=1
> allow xfs_t default_t:dir search;
> allow xfs_t default_t:file { getattr read };
>
> -- Chuck
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
More information about the fedora-selinux-list
mailing list