rhel selinux question

Thu Aug 23 18:19:15 UTC 2007

If someone would be so kind to answer a noob question.  When installing an
apache authentication extension called WebAuth (3.5.4), it works great with
selinux disabled (setenforce 0), but turn on enforcement (setenforce 1),
bam, cant read/write the necessary files.  To selinux, perhaps it looks like
rogue code trying to modify configuration files.

Files:

/etc/httpd/conf/webauth/keytab

/etc/httpd/conf/webauth/keyring

/etc/httpd/conf/webauth/service_token_cache

Messages:

audit(1187726388.800:5): avc:  denied  { write } for  pid=2030 comm="httpd"
name="webauth" dev=dm-0 ino=66396 scontext=root:system_r:httpd_t:s0
tcontext=root:object_r:httpd_config_t:s0 tclass=dir

audit(1187727527.410:38): avc:  denied  { read } for  pid=2229 comm="httpd"
name="keytab" dev=dm-0 ino=196626 scontext=root:system_r:httpd_t:s0
tcontext=root:object_r:user_home_t:s0 tclass=file

audit(1187727527.415:39): avc:  denied  { read } for  pid=2229 comm="httpd"
name="keytab" dev=dm-0 ino=196626 scontext=root:system_r:httpd_t:s0
tcontext=root:object_r:user_home_t:s0 tclass=file

audit(1187727527.420:40): avc:  denied  { write } for  pid=2229 comm="httpd"
name="service_token_cache" dev=dm-0 ino=66426
scontext=root:system_r:httpd_t:s0 tcontext=root:object_r:httpd_config_t:s0
tclass=file

audit2allow says

"allow httpd_t httpd_config_t:dir write;

allow httpd_t httpd_config_t:file write;

allow httpd_t user_home_t:file read;"

but this seems arbitrarily permissive.

What would give only access read/write access these three files?  Sorry if
this is off-topic.

Running RHEL 5 ("ES", 32-bit) patched.  RTFM'ed already:
http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/selinux-guide/
not much help.

Kind Regards,

Barry Allard

Systems Administrator

Stanford Medical Informatics

+1.650.723.7270

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20070823/c2b940c5/attachment.htm>