targeted policy and apache(?)
Stephen Smalley
sds at tycho.nsa.gov
Thu Apr 21 17:00:58 UTC 2005
On Thu, 2005-04-21 at 10:02 -0700, Ben wrote:
> I'm seeing avc errors, and it's pretty unclear to me what's causing them.
> What's being complained about, here?
>
> 1 Time(s): audit(1113980474.264:0): avc: denied { search } for pid=7148
> exe=/bin/bash name=log dev=md0 ino=3260417
> scontext=root:system_r:httpd_sys_script_t
> tcontext=system_u:object_r:var_log_t tclass=dir
>
>
> I would guess that some script is trying to list a log directory on
> /dev/md0, but that's about all I can guess from this and it doesn't help
> me track it down to a useful level anyway.
Not list, just perform a lookup, e.g a CGI script is attempting to
access something under /var/log (requiring search access to the log
directory), and this is denied in the policy. Note that you can
sometimes get more information by enabling system call auditing, e.g.
use auditctl -e 1 or boot your kernel with audit=1; the audit framework
will then output a separate syscall audit record upon syscall exit after
any such avc messages with the relevant syscall and arguments.
Likely your script wants to append to log files under /var/log/httpd.
Looks like the current policy allows httpd itself to do this, but not
CGI scripts.
--
Stephen Smalley <sds at tycho.nsa.gov>
National Security Agency
More information about the fedora-selinux-list
mailing list