Selinux error help - continued

Dan Track dan.track at
Wed Feb 7 17:08:16 UTC 2007

On Wed, 2007-02-07 at 16:34 +0000, Dan Track wrote:
> Hi Stephen
> Firstly apologies for sending to the wrong list.

Ok, then take follow-ups to fedora-selinux-list please.

> Thanks for the advice it was really an eye opener. I trawlled through
> the assert.te file in my selinux src directory, however I can tell
> which rule to remove, could you please guide to which rule it is.
> Currently my file looks like this:
> neverallow { domain -unrestricted -snmpd_t -pegasus_t }
> unconfined_t:process ~sigchld;

The rule above.  Rather than removing it entirely, you could adjust it
to make a specific exception for this case.  What do you truly need your
process to be able to do?

> # Confined domains must never see unconfined domain's /proc/pid entries.
> neverallow { domain -unrestricted -snmpd_t -pegasus_t }
> unconfined_t:dir { getattr search };

This one will also get in your process' way if it truly needs to operate
on unconfined processes.

Naturally, if you go too far in this direction, you are effectively
removing any real restriction on httpd and might as well just disable
its protection altogether (via the corresponding boolean).

Hi Stephen.

I've moved the conversation over to the selinux list. My program is
actually Beltane which is a web front end for managing samhain ( a
filesystem integrity checker). The point at which the problem arises
is when a setuid binary (belatne_cp) wants to write to a file it
creates in the /tmp directory and then it wants to move that file to
the /var/lib/yule/profiles directory. Its at this point I get the
selinux error:

Feb  7 14:26:10 jupiter kernel: audit(1170858370.177:2547): avc:
denied  { getsession } for  pid=555 comm="httpd"
scontext=root:system_r:httpd_t tcontext=root:system_r:unconfined_t
Feb  7 14:26:27 jupiter kernel: audit(1170858387.985:2548): avc:
denied  { getattr } for  pid=14295 comm="beltane_cp"
name="TMPFILIyEqoa" dev=sda3 ino=147699
tcontext=root:object_r:httpd_var_lib_t tclass=file

This beltane_cp file is called by apache.

Hope this helps in making clear what I'm trying to do.

Thanks again

More information about the fedora-selinux-list mailing list