Selinux error help - continued

Stephen Smalley sds at tycho.nsa.gov
Wed Feb 7 17:12:05 UTC 2007


On Wed, 2007-02-07 at 17:08 +0000, Dan Track wrote:
> Hi Stephen.
> 
> I've moved the conversation over to the selinux list. My program is
> actually Beltane which is a web front end for managing samhain ( a
> filesystem integrity checker). The point at which the problem arises
> is when a setuid binary (belatne_cp) wants to write to a file it
> creates in the /tmp directory and then it wants to move that file to
> the /var/lib/yule/profiles directory.

Sounds like you should have a separate domain for that binary, and a
separate type on that directory, so that you can give it the right
permissions without affecting anything else.

>  Its at this point I get the
> selinux error:
> 
> Feb  7 14:26:10 jupiter kernel: audit(1170858370.177:2547): avc:
> denied  { getsession } for  pid=555 comm="httpd"
> scontext=root:system_r:httpd_t tcontext=root:system_r:unconfined_t
> tclass=process

Question is what process is the target of this getsid(2) call?
You can find out more information by enabling system call auditing and
retrying.  auditctl -e 1 or boot with audit=1 or run auditd.

-- 
Stephen Smalley
National Security Agency




More information about the fedora-selinux-list mailing list