A few policy changes I had to make

Rodrigo Damazio rodrigo.damazio at poli.usp.br
Sat Nov 13 03:35:38 UTC 2004


       Hello. I started playing with SELinux on FC2, and recently moved 
to FC3, and I must say it's much better now, with the targeted policy. 
Congrats on this.
       I still had to change a few things in my policies, though. 
Following is a collection of the avc errors justifying my changes. I'm 
not experienced with SElinux yet, so I may be doing something 
wrong...please let me know if these changes are correct or not. Also, 
the unlink allow for httpd_t is because, for some reason, when I try to 
remove a file from within PHP, it uses httpd_t instead of 
httpd_sys_script_t . I would also like a rule(which I'm not sure how to 
write) to allow PHP programs to execute external programs, since I have 
a script which receives an uploaded file, does a lot of processing with 
it through external programs, and stores it in the database - when I run 
that, it gives me avc execute errors trying to run bash and the other 
utilities.

Apache:
Nov 12 16:50:46 fireball kernel: audit(1100285446.637:0): avc:  denied  
{ connectto } for  pid=2522 exe=/usr/sbin/httpd path=/tmp/.s.PGSQL.5432 
scontext=user_u:system_r:httpd_t tcontext=user_u:system_r:unconfined_t 
tclass=unix_stream_socket

NTPd:
Nov 11 19:51:49 fireball kernel: audit(1100209909.743:0): avc:  denied  
{ create } for  pid=2293 exe=/usr/sbin/ntpd 
scontext=user_u:system_r:ntpd_t tcontext=user_u:system_r:ntpd_t 
tclass=netlink_route_socket
Nov 11 19:51:49 fireball kernel: audit(1100209909.745:0): avc:  denied  
{ bind } for  pid=2293 exe=/usr/sbin/ntpd 
scontext=user_u:system_r:ntpd_t tcontext=user_u:system_r:ntpd_t 
tclass=netlink_route_socket
Nov 11 19:51:49 fireball kernel: audit(1100209909.745:0): avc:  denied  
{ getattr } for  pid=2293 exe=/usr/sbin/ntpd 
scontext=user_u:system_r:ntpd_t tcontext=user_u:system_r:ntpd_t 
tclass=netlink_route_socket
Nov 11 19:51:49 fireball kernel: audit(1100209909.747:0): avc:  denied  
{ write } for  pid=2293 exe=/usr/sbin/ntpd 
scontext=user_u:system_r:ntpd_t tcontext=user_u:system_r:ntpd_t 
tclass=netlink_route_socket
Nov 11 19:51:49 fireball kernel: audit(1100209909.749:0): avc:  denied  
{ net_admin } for  pid=2293 exe=/usr/sbin/ntpd capability=12 
scontext=user_u:system_r:ntpd_t tcontext=user_u:system_r:ntpd_t 
tclass=capability
Nov 11 19:51:49 fireball kernel: audit(1100209909.750:0): avc:  denied  
{ nlmsg_read } for  pid=2293 exe=/usr/sbin/ntpd 
scontext=user_u:system_r:ntpd_t tcontext=user_u:system_r:ntpd_t 
tclass=netlink_route_socket
Nov 11 19:51:49 fireball kernel: audit(1100209909.752:0): avc:  denied  
{ read } for  pid=2293 exe=/usr/sbin/ntpd 
scontext=user_u:system_r:ntpd_t tcontext=user_u:system_r:ntpd_t 
tclass=netlink_route_socket

DHCPd:
Nov 12 23:37:25 fireball kernel: audit(1100309845.314:0): avc:  denied  
{ create } for  pid=10002 exe=/usr/sbin/dhcpd 
scontext=root:system_r:dhcpd_t tcontext=root:system_r:dhcpd_t 
tclass=netlink_route_socket
Nov 12 23:37:25 fireball kernel: audit(1100309845.317:0): avc:  denied  
{ bind } for  pid=10002 exe=/usr/sbin/dhcpd 
scontext=root:system_r:dhcpd_t tcontext=root:system_r:dhcpd_t 
tclass=netlink_route_socket
Nov 12 23:37:25 fireball kernel: audit(1100309845.320:0): avc:  denied  
{ getattr } for  pid=10002 exe=/usr/sbin/dhcpd 
scontext=root:system_r:dhcpd_t tcontext=root:system_r:dhcpd_t 
tclass=netlink_route_socket
Nov 12 23:37:25 fireball kernel: audit(1100309845.323:0): avc:  denied  
{ write } for  pid=10002 exe=/usr/sbin/dhcpd 
scontext=root:system_r:dhcpd_t tcontext=root:system_r:dhcpd_t 
tclass=netlink_route_socket
Nov 12 23:37:25 fireball kernel: audit(1100309845.325:0): avc:  denied  
{ net_admin } for  pid=10002 exe=/usr/sbin/dhcpd capability=12 
scontext=root:system_r:dhcpd_t tcontext=root:system_r:dhcpd_t 
tclass=capability
Nov 12 23:37:25 fireball kernel: audit(1100309845.326:0): avc:  denied  
{ nlmsg_read } for  pid=10002 exe=/usr/sbin/dhcpd 
scontext=root:system_r:dhcpd_t tcontext=root:system_r:dhcpd_t 
tclass=netlink_route_socket
Nov 12 23:37:25 fireball kernel: audit(1100309845.327:0): avc:  denied  
{ read } for  pid=10002 exe=/usr/sbin/dhcpd 
scontext=root:system_r:dhcpd_t tcontext=root:system_r:dhcpd_t 
tclass=netlink_route_socket
Nov 12 23:37:25 fireball kernel: audit(1100309845.909:0): avc:  denied  
{ unlink } for  pid=10008 exe=/usr/sbin/dhcpd name=dhcpd.leases~ 
dev=hda1 ino=425472 scontext=root:system_r:dhcpd_t 
tcontext=system_u:object_r:file_t tclass=file

named:
Nov 12 23:41:25 fireball kernel: audit(1100310085.797:0): avc:  denied  
{ create } for  pid=10183 exe=/usr/sbin/named 
scontext=root:system_r:named_t tcontext=root:system_r:named_t 
tclass=netlink_route_socket
Nov 12 23:41:25 fireball kernel: audit(1100310085.798:0): avc:  denied  
{ bind } for  pid=10183 exe=/usr/sbin/named 
scontext=root:system_r:named_t tcontext=root:system_r:named_t 
tclass=netlink_route_socket
Nov 12 23:41:25 fireball kernel: audit(1100310085.799:0): avc:  denied  
{ getattr } for  pid=10183 exe=/usr/sbin/named 
scontext=root:system_r:named_t tcontext=root:system_r:named_t 
tclass=netlink_route_socket
Nov 12 23:41:25 fireball kernel: audit(1100310085.803:0): avc:  denied  
{ write } for  pid=10183 exe=/usr/sbin/named 
scontext=root:system_r:named_t tcontext=root:system_r:named_t 
tclass=netlink_route_socket
Nov 12 23:41:25 fireball kernel: audit(1100310085.806:0): avc:  denied  
{ nlmsg_read } for  pid=10183 exe=/usr/sbin/named 
scontext=root:system_r:named_t tcontext=root:system_r:named_t 
tclass=netlink_route_socket
Nov 12 23:41:25 fireball kernel: audit(1100310085.809:0): avc:  denied  
{ read } for  pid=10183 exe=/usr/sbin/named 
scontext=root:system_r:named_t tcontext=root:system_r:named_t 
tclass=netlink_route_socket

Thanks,
Rodrigo

-------------- next part --------------
A non-text attachment was scrubbed...
Name: selinux-targeted-policy-rdamazio.patch
Type: text/x-patch
Size: 3465 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20041113/cfa654b5/attachment.bin>


More information about the fedora-selinux-list mailing list