Barry Allard wrote:
If someone would be so kind to answer a noob question. When installing an apache authentication extension called WebAuth (3.5.4), it works great with selinux disabled (setenforce 0), but turn on enforcement (setenforce 1), bam, cant read/write the necessary files. To selinux, perhaps it looks like rogue code trying to modify configuration files.
Files:
/etc/httpd/conf/webauth/keytab
/etc/httpd/conf/webauth/keyring
/etc/httpd/conf/webauth/service_token_cache
Messages:
audit(1187726388.800:5): avc: denied { write } for pid=2030 comm="httpd" name="webauth" dev=dm-0 ino=66396 scontext=root:system_r:httpd_t:s0 tcontext=root:object_r:httpd_config_t:s0 tclass=dir
audit(1187727527.410:38): avc: denied { read } for pid=2229 comm="httpd" name="keytab" dev=dm-0 ino=196626 scontext=root:system_r:httpd_t:s0 tcontext=root:object_r:user_home_t:s0 tclass=file
audit(1187727527.415:39): avc: denied { read } for pid=2229 comm="httpd" name="keytab" dev=dm-0 ino=196626 scontext=root:system_r:httpd_t:s0 tcontext=root:object_r:user_home_t:s0 tclass=file
audit(1187727527.420:40): avc: denied { write } for pid=2229 comm="httpd" name="service_token_cache" dev=dm-0 ino=66426 scontext=root:system_r:httpd_t:s0 tcontext=root:object_r:httpd_config_t:s0 tclass=file
audit2allow says
"allow httpd_t httpd_config_t:dir write;
allow httpd_t httpd_config_t:file write;
allow httpd_t user_home_t:file read;"
but this seems arbitrarily permissive.
What would give only access read/write access these three files? Sorry if this is off-topic.
if you only want to permit to access these three files, you can define specific type about these files, e.g. webauth_config_t, and associate these types with corresponding files in ".fc" file.
after installing your own module, you restorecon the label of your files, then this policy module will give access only to these files
Running RHEL 5 ("ES", 32-bit) patched. RTFM'ed already: http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/selinux-guide/ not much help.
Kind Regards,
Barry Allard
Systems Administrator
Stanford Medical Informatics
+1.650.723.7270
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list