Selinux error help - continued
Dan Track
dan.track at gmail.com
Thu Feb 8 10:35:57 UTC 2007
On 2/7/07, Stephen Smalley <sds at tycho.nsa.gov> wrote:
> On Wed, 2007-02-07 at 17:08 +0000, Dan Track wrote:
> > Hi Stephen.
> >
> > I've moved the conversation over to the selinux list. My program is
> > actually Beltane which is a web front end for managing samhain ( a
> > filesystem integrity checker). The point at which the problem arises
> > is when a setuid binary (belatne_cp) wants to write to a file it
> > creates in the /tmp directory and then it wants to move that file to
> > the /var/lib/yule/profiles directory.
>
> Sounds like you should have a separate domain for that binary, and a
> separate type on that directory, so that you can give it the right
> permissions without affecting anything else.
>
> > Its at this point I get the
> > selinux error:
> >
> > Feb 7 14:26:10 jupiter kernel: audit(1170858370.177:2547): avc:
> > denied { getsession } for pid=555 comm="httpd"
> > scontext=root:system_r:httpd_t tcontext=root:system_r:unconfined_t
> > tclass=process
>
> Question is what process is the target of this getsid(2) call?
> You can find out more information by enabling system call auditing and
> retrying. auditctl -e 1 or boot with audit=1 or run auditd.
>
> --
> Stephen Smalley
> National Security Agency
>
>
On 2/7/07, Stephen Smalley <sds at tycho.nsa.gov> wrote:
> On Wed, 2007-02-07 at 17:08 +0000, Dan Track wrote:
> > Hi Stephen.
> >
> > I've moved the conversation over to the selinux list. My program is
> > actually Beltane which is a web front end for managing samhain ( a
> > filesystem integrity checker). The point at which the problem arises
> > is when a setuid binary (belatne_cp) wants to write to a file it
> > creates in the /tmp directory and then it wants to move that file to
> > the /var/lib/yule/profiles directory.
>
> Sounds like you should have a separate domain for that binary, and a
> separate type on that directory, so that you can give it the right
> permissions without affecting anything else.
>
> > Its at this point I get the
> > selinux error:
> >
> > Feb 7 14:26:10 jupiter kernel: audit(1170858370.177:2547): avc:
> > denied { getsession } for pid=555 comm="httpd"
> > scontext=root:system_r:httpd_t tcontext=root:system_r:unconfined_t
> > tclass=process
>
> Question is what process is the target of this getsid(2) call?
> You can find out more information by enabling system call auditing and
> retrying. auditctl -e 1 or boot with audit=1 or run auditd.
Hi Stephen
Hope things are good.
I enabled the auditctl and got the following in /var/log/messages
Feb 8 10:26:51 jupiter kernel: audit(1170930411.956:2939): avc:
denied { getattr } for pid=6992 comm="beltane_cp"
name="TMPFILuB4KTI" dev=sda3 ino=147701
scontext=root:system_r:httpd_sys_script_t
tcontext=root:object_r:httpd_var_lib_t tclass=file
Feb 8 10:26:51 jupiter kernel: audit(1170930411.956:2939):
arch=40000003 syscall=196 success=no exit=-13 a0=bff6ab9d a1=bfed575c
a2=8a9ff4 a3=bfed575c items=1 pid=6992 auid=4294967295 uid=48 gid=48
euid=0 suid=0 fsuid=0 egid=48 sgid=48 fsgid=48 comm="beltane_cp"
exe="/usr/local/bin/beltane_cp"
Feb 8 10:26:51 jupiter kernel: audit(1170930411.956:2939):
path="/var/lib/yule/profiles/TMPFILuB4KTI"
Feb 8 10:26:51 jupiter kernel: audit(1170930411.956:2939):
cwd="/opt/www/beltane/php"
Feb 8 10:26:51 jupiter kernel: audit(1170930411.956:2939):
name="/var/lib/yule/profiles/TMPFILuB4KTI" flags=0
Feb 8 10:26:51 jupiter kernel: inode=147701 dev=08:03 mode=0100600
ouid=48 ogid=48 rdev=00:00
Hope this helps to figure out what is going on.
Many Thanks
Dan
More information about the fedora-selinux-list
mailing list