Newbie Q

Aaron Gray aaronngray.lists at googlemail.com
Fri Mar 20 23:12:19 UTC 2009


> On Fri, 2009-03-20 at 20:14 +0000, Aaron Gray wrote:
>> I am trying to audit2allow on F10 to allow a cgi-bin perl script to run 
>> on
>> Apache. Runs fine in permissive mode not in enforcing.
>>
>> I bought the O'Reilly SE Linux book and learned the basics but it does 
>> not
>> really seem to help me on Fedora.
>>
>> there was no /var/log/kernel so I tried /var/log/secure with the 
>> following
>> command sequence
>>
>>     setenforce 0
>>
>>     # access the cgi from the web
>>
>>     setenforce 1
>>
>>     audit2allow -l -i /var/log/secure
>>
>> What is strange also is the system is not flagging things up as a
>> notification icon anymore in enforcing mode.
>>
>> If someone could guide me or push me in the right direction I would be 
>> most
>> thankful.
> auditd logs to /var/log/audit/audit.log
>
> To use cgi you must set the boolean httpd_enable_cgi.

Great GIT on Apache running now !:) Thanks

But not accessing the repositories, looks like a script is needed.

> Then either label the cgi type httpd_sys_script_exec_t or create a
> custom domain for your script:
>
> mkdir myscript; cd myscript;
> echo "policy_module(myscript, 0.0.1)" > myscript.te
> echo "apache_content_template(myscript)" >> myscript.te
> echo "/var/www/cgi-bin/myscript.pl --
> gen_context(system_u:object_r:httpd_myscript_script_exec_t, s0)" >
> myscript.fc
>
> make -f /usr/share/selinux/devel/Makefile
> semodule -i myscript.pp
> restorecon -R -v /var/www/cgi-bin/myscript.pl

This is interesting. command line, thanks, interesting I will have to learn 
this stuff on the command line to understand it properly.

> This is just a base module you will likely need to extend it. you can do
> so why making the httpd_myscript_script_t permissive and then extend
> your source policy with any rules required frpm audit.log/audit2why
>
> semanage permissive -a httpd_myscript_script_t

Nice :)

> ausearch -m avc -ts today | grep httpd_myscript_script_t | audit2allow
> -R >> myscript.te; make -f /usr/share/selinux/devel/Makefile; semodule
> -i myscript.pp

This might just do the job !

> semanage permissive -d httpd_myscript_script_t
>
> (to remove the permissive domain)

Is there any reason not to be using setenforce 0/1, on a machine behind 
firewall.

I will try this. Looks like theres a need of a good howto that shows how 
simple these things can be.

Many thanks Dominick

Aaron




More information about the fedora-selinux-list mailing list