rhel selinux question
Barry Allard
ballard at stanford.edu
Thu Aug 23 18:19:15 UTC 2007
If someone would be so kind to answer a noob question. When installing an
apache authentication extension called WebAuth (3.5.4), it works great with
selinux disabled (setenforce 0), but turn on enforcement (setenforce 1),
bam, cant read/write the necessary files. To selinux, perhaps it looks like
rogue code trying to modify configuration files.
Files:
/etc/httpd/conf/webauth/keytab
/etc/httpd/conf/webauth/keyring
/etc/httpd/conf/webauth/service_token_cache
Messages:
audit(1187726388.800:5): avc: denied { write } for pid=2030 comm="httpd"
name="webauth" dev=dm-0 ino=66396 scontext=root:system_r:httpd_t:s0
tcontext=root:object_r:httpd_config_t:s0 tclass=dir
audit(1187727527.410:38): avc: denied { read } for pid=2229 comm="httpd"
name="keytab" dev=dm-0 ino=196626 scontext=root:system_r:httpd_t:s0
tcontext=root:object_r:user_home_t:s0 tclass=file
audit(1187727527.415:39): avc: denied { read } for pid=2229 comm="httpd"
name="keytab" dev=dm-0 ino=196626 scontext=root:system_r:httpd_t:s0
tcontext=root:object_r:user_home_t:s0 tclass=file
audit(1187727527.420:40): avc: denied { write } for pid=2229 comm="httpd"
name="service_token_cache" dev=dm-0 ino=66426
scontext=root:system_r:httpd_t:s0 tcontext=root:object_r:httpd_config_t:s0
tclass=file
audit2allow says
"allow httpd_t httpd_config_t:dir write;
allow httpd_t httpd_config_t:file write;
allow httpd_t user_home_t:file read;"
but this seems arbitrarily permissive.
What would give only access read/write access these three files? Sorry if
this is off-topic.
Running RHEL 5 ("ES", 32-bit) patched. RTFM'ed already:
http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/selinux-guide/
not much help.
Kind Regards,
Barry Allard
Systems Administrator
Stanford Medical Informatics
+1.650.723.7270
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20070823/c2b940c5/attachment.htm>
More information about the fedora-selinux-list
mailing list