FC 6 - selinux issue with adding a new custom module
Jeff Holt
jeff.holt at hotsos.com
Thu Aug 2 21:04:54 UTC 2007
I just copied mod_slam.so to /etc/httpd/modules, executed chcon -r
mod_alias.so mod_slam.so, and edited /etc/httpd/httpd.conf to load the
new module. As a result, I get the following avc error in my
/var/log/messages.
Aug 2 13:28:00 build02 kernel: audit(1186079280.127:7): avc: denied {
execmod } for pid=18939 comm="httpd" name="mod_slam.so" dev=dm-0
ino=8847362 scontext=user_u:system_r:httpd_t:s0
tcontext=system_u:object_r:httpd_modules_t:s0 tclass=file
When I pass this text to audit2allow I get very little help.
$ tail -1 /var/log/messages | audit2allow
#============= httpd_t ==============
allow httpd_t httpd_modules_t:file execmod;
#
When I pass it to audit2why I get no more help still.
Aug 2 14:17:07 build02 kernel: audit(1186082227.562:10): avc: denied
{ execmod } for pid=19707 comm="httpd" name="mod_slam.so" dev=dm-0
ino=8847362 scontext=user_u:system_r:httpd_t:s0
tcontext=system_u:object_r:httpd_modules_t:s0 tclass=file
Was caused by:
Missing or disabled TE allow rule.
Allow rules may exist but be disabled by boolean
settings; check boolean settings.
You can see the necessary allow rules by running
audit2allow with this audit message as input.
What I find frustrating is that loading the installed modules (i.e.,
installed with the httpd package) do not cause avc errors. In fact, if I
rename, say, mod_alias.so to something else it still loads after I
temporarily edit httpd.conf. And so, I find it hard to believe that the
security policy knows about specific file names. When I copy
mod_alias.so to something else (i.e., to give it a new inode) it still
loads and so I think that proves the security policy also knows nothing
about inodes. These two tests of renaming/copying mod_alias.so
demonstrate to me that rebooting the server or some other
"configuration" action is not necessary.
My actual first question, since I know so little about selinux, is this:
if my module has the same security context as other modules, then why
does an attempt to load it cause that avc error?
Can anyone render assistance?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20070802/9db8edb1/attachment.htm>
More information about the fedora-selinux-list
mailing list