How to modify the policy?
Hongwei Li
hongwei at wustl.edu
Thu Apr 14 19:05:33 UTC 2005
> Hongwei Li wrote:
>
>>Hi,
>>
>>I have a fc3 linux (kernel 2.6.10-1.770_FC3) with selinux enforced,
>>targeted policy 1.17.30-2.96. I try to use squirrelmail's plugin
>>change_passwd, but got denied. The system log shows:
>>
>>Apr 14 09:42:59 pippo kernel: audit(1113489779.011:0): avc: denied {
>>search } for pid=13211 exe=/bin/bash name=src dev=hda6 ino=425174
>>scontext=root:system_r:httpd_sys_script_t
>> tcontext=system_u:object_r:src_t
>>tclass=dir
>>Apr 14 09:42:59 pippo kernel: audit(1113489779.012:0): avc: denied {
>>setuid } for pid=13211 exe=/usr/bin/chpasswd capability=7
>>scontext=root:system_r:httpd_sys_script_t
>>tcontext=root:system_r:httpd_sys_script_t tclass=capability
>>
>>I can use that plugin's command in ssh console, but just not from the
>> web.
>> Should I change the targeted policy to make it working? If yes, how to
>>modify the policy?
>>
>>Thanks a lot!
>>
>>Hongwei Li
>>
>>--
>>fedora-selinux-list mailing list
>>fedora-selinux-list at redhat.com
>>http://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>
>>
> The only way to do this currently is to install
> selinux-policy-targeted-sources.
>
> Then you can edit apache rules to allow this priv. The problem with
> this is priv is that
> it will allow Any cgi script to execute setuid applications. The best
> solution would be
> to write policy for change_passwd and then have a domain transfer to
> this application.
>
> --
>
I am new to selinux, especially for policy editing/writing. Could you
please tell me how to do it in each way (I have installed the sources):
1. how to edit apache rules to allow this priv?
2. how to write a policy for change_passwd and then have a domain transfer
to it?
I appreciate your help!
Hongwei
More information about the fedora-selinux-list
mailing list