rhel selinux question

Ken YANG spng.yang at gmail.com
Fri Aug 24 09:04:44 UTC 2007 

Barry Allard wrote:
> If someone would be so kind to answer a noob question.  When installing an
> apache authentication extension called WebAuth (3.5.4), it works great with
> selinux disabled (setenforce 0), but turn on enforcement (setenforce 1),
> bam, cant read/write the necessary files.  To selinux, perhaps it looks like
> rogue code trying to modify configuration files.
> 
>  
> 
> Files:
> 
> /etc/httpd/conf/webauth/keytab
> 
> /etc/httpd/conf/webauth/keyring
> 
> /etc/httpd/conf/webauth/service_token_cache
> 
>  
> 
> Messages:
> 
> audit(1187726388.800:5): avc:  denied  { write } for  pid=2030 comm="httpd"
> name="webauth" dev=dm-0 ino=66396 scontext=root:system_r:httpd_t:s0
> tcontext=root:object_r:httpd_config_t:s0 tclass=dir
> 
> audit(1187727527.410:38): avc:  denied  { read } for  pid=2229 comm="httpd"
> name="keytab" dev=dm-0 ino=196626 scontext=root:system_r:httpd_t:s0
> tcontext=root:object_r:user_home_t:s0 tclass=file
> 
> audit(1187727527.415:39): avc:  denied  { read } for  pid=2229 comm="httpd"
> name="keytab" dev=dm-0 ino=196626 scontext=root:system_r:httpd_t:s0
> tcontext=root:object_r:user_home_t:s0 tclass=file
> 
> audit(1187727527.420:40): avc:  denied  { write } for  pid=2229 comm="httpd"
> name="service_token_cache" dev=dm-0 ino=66426
> scontext=root:system_r:httpd_t:s0 tcontext=root:object_r:httpd_config_t:s0
> tclass=file
> 
>  
> 
> audit2allow says
> 
> "allow httpd_t httpd_config_t:dir write;
> 
> allow httpd_t httpd_config_t:file write;
> 
> allow httpd_t user_home_t:file read;"
> 
> but this seems arbitrarily permissive.
> 
>  
> 
> What would give only access read/write access these three files?  Sorry if
> this is off-topic.

if you only want to permit to access these three files, you can define
specific type about these files, e.g. webauth_config_t, and associate
these types with corresponding files in ".fc" file.

after installing your own module, you restorecon the label of your
files, then this policy module will give access only to these files


> 
>  
> 
> Running RHEL 5 ("ES", 32-bit) patched.  RTFM'ed already:
> http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/selinux-guide/
> not much help.
> 
>                  
> 
> Kind Regards,
> 
> Barry Allard
> 
> Systems Administrator
> 
> Stanford Medical Informatics
> 
> +1.650.723.7270
> 
>  
> 
> 
> 
> 
> ------------------------------------------------------------------------
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

More information about the fedora-selinux-list mailing list