Squirrelmail_disk_quota_plugin

Ludman Tamás ltamas at gytk.sote.hu
Thu Sep 13 11:27:08 UTC 2007 

Hi all,
sorry my bad english, I hope you understant my problem.
I would like to use Squirrelmail's plugin: quota_check, but SELinux 
don't allowed this...
"...disk quota plugin: Uses the *nix quota binary as wwwquota to get 
information about and show the disk quota usage of the user logged in. 
It incorporates Flash movies to display more attractive and interactive 
information. ..."


I tried these:
[root at modules]# cat /var/log/audit/audit.log | audit2allow -m local > local
[root at modules]# checkmodule -M -m -o local.mod local.te
checkmodule:  loading policy configuration from local.te
checkmodule:  policy configuration loaded
checkmodule:  writing binary representation (version 6) to local.mod
[root at modules]# semodule_package -o local.pp -m local.mod
[root at modules]# semodule -i local.pp
libsepol.check_assertion_helper: assertion on line 0 violated by allow 
httpd_t s
libsepol.check_assertions: 1 assertion violations occured
libsemanage.semanage_expand_sandbox: Expand module failed

and I tried with another, but the result is equal than above :
# make -f /usr/share/selinux/devel/Makefile
# semodule -i local.pp

______________________________________________
in my audit.log:
....

type=AVC msg=audit(1189681628.573:13563): avc:  denied  { read } for  
pid=31798 comm="sudo" name="shadow" dev=md8 ino=1949004 
scontext=system_u:system_r:httpd_t:s0 
tcontext=system_u:object_r:shadow_t:s0 tclass=file
type=AVC msg=audit(1189681628.573:13564): avc:  denied  { write } for  
pid=31798 comm="sudo" name="log" dev=tmpfs ino=11165 
scontext=system_u:system_r:httpd_t:s0 
tcontext=system_u:object_r:device_t:s0 tclass=sock_file
type=AVC msg=audit(1189681697.332:13578): avc:  denied  { read } for  
pid=31845 comm="sudo" name="shadow" dev=md8 ino=1949004 
scontext=system_u:system_r:httpd_t:s0 
tcontext=system_u:object_r:shadow_t:s0 tclass=file
type=AVC msg=audit(1189681697.332:13579): avc:  denied  { getattr } for  
pid=31845 comm="sudo" name="shadow" dev=md8 ino=1949004
scontext=system_u:system_r:httpd_t:s0 
tcontext=system_u:object_r:shadow_t:s0 tclass=file
type=AVC msg=audit(1189681697.334:13580): avc:  denied  { write } for  
pid=31845 comm="sudo" name="log" dev=tmpfs ino=11165 
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:device_t:s0 tclass=sock_file
type=AVC msg=audit(1189681697.334:13580): avc:  denied  { sendto } for  
pid=31845 comm="sudo" name="log" scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:system_r:initrc_t:s0 tclass=unix_dgram_socket
type=AVC msg=audit(1189681704.450:13587): avc:  denied  { read } for  
pid=31858 comm="sudo" name="shadow" dev=md8 ino=1949004 
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:shadow_t:s0 tclass=file
type=AVC msg=audit(1189681704.450:13588): avc:  denied  { getattr } for  
pid=31858 comm="sudo" name="shadow" dev=md8 ino=1949004
scontext=system_u:system_r:httpd_t:s0 
tcontext=system_u:object_r:shadow_t:s0 tclass=file
type=AVC msg=audit(1189681776.487:13607): avc:  denied  { search } for  
pid=31945 comm="wwwquota" scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=dir
type=AVC msg=audit(1189681776.489:13608): avc:  denied  { getattr } for  
pid=31945 comm="wwwquota" name="md6" dev=tmpfs ino=7380
scontext=system_u:system_r:httpd_t:s0 
tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file
type=AVC msg=audit(1189681776.490:13609): avc:  denied  { quotaget } 
for  pid=31945 comm="wwwquota" scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
type=AVC msg=audit(1189681826.629:13630): avc:  denied  { search } for  
pid=31975 comm="wwwquota" scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=dir
type=AVC msg=audit(1189681826.631:13631): avc:  denied  { getattr } for  
pid=31975 comm="wwwquota" name="md6" dev=tmpfs ino=7380
scontext=system_u:system_r:httpd_t:s0 
tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file
type=AVC msg=audit(1189681826.632:13632): avc:  denied  { quotaget } 
for  pid=31975 comm="wwwquota" scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:fs_t:s0 tclass=filesystem

.....
______________________________________________

in my /etc/sudoers:
...
apache  ALL=NOPASSWD:   /usr/bin/wwwquota -v [A-z]*
...
______________________________________________
in my /etc/selinux/config:

SELINUX=enforcing
SELINUXTYPE=targeted
SETLOCALDEFS=0
______________________________________________

My system is:
Fedora Core 6, kernel 2.6.22.2-42.fc6
libselinux.i386                          1.33.4-2.fc6   
libselinux-devel.i386                    1.33.4-2.fc6
selinux-policy.noarch                    2.4.6-80.fc6          
selinux-policy-devel.noarch              2.4.6-80.fc6     
selinux-policy-mls.noarch                2.4.6-80.fc6          
selinux-policy-strict.noarch             2.4.6-80.fc6         
selinux-policy-targeted.noarch           2.4.6-80.fc6

What can I do?

Thanx a lot, everybody.

LT

More information about the fedora-selinux-list mailing list