Squirrelmail_disk_quota_plugin

Daniel J Walsh dwalsh at redhat.com
Mon Sep 17 21:04:06 UTC 2007 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Ludman Tamás wrote:
> Hi all,
> sorry my bad english, I hope you understant my problem.
> I would like to use Squirrelmail's plugin: quota_check, but SELinux
> don't allowed this...
> "...disk quota plugin: Uses the *nix quota binary as wwwquota to get
> information about and show the disk quota usage of the user logged in.
> It incorporates Flash movies to display more attractive and interactive
> information. ..."
> 
> 
> I tried these:
> [root at modules]# cat /var/log/audit/audit.log | audit2allow -m local > local
> [root at modules]# checkmodule -M -m -o local.mod local.te
> checkmodule:  loading policy configuration from local.te
> checkmodule:  policy configuration loaded
> checkmodule:  writing binary representation (version 6) to local.mod
> [root at modules]# semodule_package -o local.pp -m local.mod
> [root at modules]# semodule -i local.pp
> libsepol.check_assertion_helper: assertion on line 0 violated by allow
> httpd_t s
> libsepol.check_assertions: 1 assertion violations occured
> libsemanage.semanage_expand_sandbox: Expand module failed
> 
> and I tried with another, but the result is equal than above :
> # make -f /usr/share/selinux/devel/Makefile
> # semodule -i local.pp
> 
> ______________________________________________
> in my audit.log:
> ....
> 
> type=AVC msg=audit(1189681628.573:13563): avc:  denied  { read } for 
> pid=31798 comm="sudo" name="shadow" dev=md8 ino=1949004
> scontext=system_u:system_r:httpd_t:s0
> tcontext=system_u:object_r:shadow_t:s0 tclass=file
> type=AVC msg=audit(1189681628.573:13564): avc:  denied  { write } for 
> pid=31798 comm="sudo" name="log" dev=tmpfs ino=11165
> scontext=system_u:system_r:httpd_t:s0
> tcontext=system_u:object_r:device_t:s0 tclass=sock_file
> type=AVC msg=audit(1189681697.332:13578): avc:  denied  { read } for 
> pid=31845 comm="sudo" name="shadow" dev=md8 ino=1949004
> scontext=system_u:system_r:httpd_t:s0
> tcontext=system_u:object_r:shadow_t:s0 tclass=file
> type=AVC msg=audit(1189681697.332:13579): avc:  denied  { getattr } for 
> pid=31845 comm="sudo" name="shadow" dev=md8 ino=1949004
> scontext=system_u:system_r:httpd_t:s0
> tcontext=system_u:object_r:shadow_t:s0 tclass=file
> type=AVC msg=audit(1189681697.334:13580): avc:  denied  { write } for 
> pid=31845 comm="sudo" name="log" dev=tmpfs ino=11165
> scontext=system_u:system_r:httpd_t:s0
> tcontext=system_u:object_r:device_t:s0 tclass=sock_file
> type=AVC msg=audit(1189681697.334:13580): avc:  denied  { sendto } for 
> pid=31845 comm="sudo" name="log" scontext=system_u:system_r:httpd_t:s0
> tcontext=system_u:system_r:initrc_t:s0 tclass=unix_dgram_socket
> type=AVC msg=audit(1189681704.450:13587): avc:  denied  { read } for 
> pid=31858 comm="sudo" name="shadow" dev=md8 ino=1949004
> scontext=system_u:system_r:httpd_t:s0
> tcontext=system_u:object_r:shadow_t:s0 tclass=file
> type=AVC msg=audit(1189681704.450:13588): avc:  denied  { getattr } for 
> pid=31858 comm="sudo" name="shadow" dev=md8 ino=1949004
> scontext=system_u:system_r:httpd_t:s0
> tcontext=system_u:object_r:shadow_t:s0 tclass=file
> type=AVC msg=audit(1189681776.487:13607): avc:  denied  { search } for 
> pid=31945 comm="wwwquota" scontext=system_u:system_r:httpd_t:s0
> tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=dir
> type=AVC msg=audit(1189681776.489:13608): avc:  denied  { getattr } for 
> pid=31945 comm="wwwquota" name="md6" dev=tmpfs ino=7380
> scontext=system_u:system_r:httpd_t:s0
> tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file
> type=AVC msg=audit(1189681776.490:13609): avc:  denied  { quotaget }
> for  pid=31945 comm="wwwquota" scontext=system_u:system_r:httpd_t:s0
> tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
> type=AVC msg=audit(1189681826.629:13630): avc:  denied  { search } for 
> pid=31975 comm="wwwquota" scontext=system_u:system_r:httpd_t:s0
> tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=dir
> type=AVC msg=audit(1189681826.631:13631): avc:  denied  { getattr } for 
> pid=31975 comm="wwwquota" name="md6" dev=tmpfs ino=7380
> scontext=system_u:system_r:httpd_t:s0
> tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file
> type=AVC msg=audit(1189681826.632:13632): avc:  denied  { quotaget }
> for  pid=31975 comm="wwwquota" scontext=system_u:system_r:httpd_t:s0
> tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
> 
> .....
> ______________________________________________
> 
> in my /etc/sudoers:
> ...
> apache  ALL=NOPASSWD:   /usr/bin/wwwquota -v [A-z]*
> ...
> ______________________________________________
> in my /etc/selinux/config:
> 
> SELINUX=enforcing
> SELINUXTYPE=targeted
> SETLOCALDEFS=0
> ______________________________________________
> 
> My system is:
> Fedora Core 6, kernel 2.6.22.2-42.fc6
> libselinux.i386                          1.33.4-2.fc6  
> libselinux-devel.i386                    1.33.4-2.fc6
> selinux-policy.noarch                    2.4.6-80.fc6         
> selinux-policy-devel.noarch              2.4.6-80.fc6    
> selinux-policy-mls.noarch                2.4.6-80.fc6         
> selinux-policy-strict.noarch             2.4.6-80.fc6        
> selinux-policy-targeted.noarch           2.4.6-80.fc6
> 
> What can I do?
> 
> Thanx a lot, everybody.
> 
> LT
> 
> -- 
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
The policy compiler is blocking you from reading shadow_t.


Read this weeks blog

http://danwalsh.livejournal.com/12333.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFG7uvGrlYvE4MpobMRAs6LAJ9P1fvq6pYQYuBt364WvXWfHFMMswCg0DsN
RekIfR2lfunBjjDSAfyLoOo=
=TlPz
-----END PGP SIGNATURE-----

More information about the fedora-selinux-list mailing list