FC 6 - selinux issue with adding a new custom module

Jeff Holt jeff.holt at hotsos.com
Thu Aug 2 21:04:54 UTC 2007 

I just copied mod_slam.so  to /etc/httpd/modules, executed chcon -r
mod_alias.so mod_slam.so, and edited /etc/httpd/httpd.conf to load the
new module. As a result, I get the following avc error in my
/var/log/messages.

 

Aug  2 13:28:00 build02 kernel: audit(1186079280.127:7): avc:  denied  {
execmod } for  pid=18939 comm="httpd" name="mod_slam.so" dev=dm-0
ino=8847362 scontext=user_u:system_r:httpd_t:s0
tcontext=system_u:object_r:httpd_modules_t:s0 tclass=file

 

When I pass this text to audit2allow I get very little help.

 

$ tail -1 /var/log/messages | audit2allow

 

 

#============= httpd_t ==============

allow httpd_t httpd_modules_t:file execmod;

#

 

When I pass it to audit2why I get no more help still.

 

Aug  2 14:17:07 build02 kernel: audit(1186082227.562:10): avc:  denied
{ execmod } for  pid=19707 comm="httpd" name="mod_slam.so" dev=dm-0
ino=8847362 scontext=user_u:system_r:httpd_t:s0
tcontext=system_u:object_r:httpd_modules_t:s0 tclass=file

        Was caused by:

                Missing or disabled TE allow rule.

                Allow rules may exist but be disabled by boolean
settings; check boolean settings.

                You can see the necessary allow rules by running
audit2allow with this audit message as input.

 

 

What I find frustrating is that loading the installed modules (i.e.,
installed with the httpd package) do not cause avc errors. In fact, if I
rename, say, mod_alias.so to something else it still loads after I
temporarily edit httpd.conf. And so, I find it hard to believe that the
security policy knows about specific file names. When I copy
mod_alias.so to something else (i.e., to give it a new inode) it still
loads and so I think that proves the security policy also knows nothing
about inodes. These two tests of renaming/copying mod_alias.so
demonstrate to me that rebooting the server or some other
"configuration" action is not necessary.

 

My actual first question, since I know so little about selinux, is this:
if my module has the same security context as other modules, then why
does an attempt to load it cause that avc error?

 

Can anyone render assistance?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20070802/9db8edb1/attachment.htm>

More information about the fedora-selinux-list mailing list