If someone would be so kind to answer a noob question.  When installing an apache authentication extension called WebAuth (3.5.4), it works great with selinux disabled (setenforce 0), but turn on enforcement (setenforce 1), bam, cant read/write the necessary files.  To selinux, perhaps it looks like rogue code trying to modify configuration files.

 

Files:

/etc/httpd/conf/webauth/keytab

/etc/httpd/conf/webauth/keyring

/etc/httpd/conf/webauth/service_token_cache

 

Messages:

audit(1187726388.800:5): avc:  denied  { write } for  pid=2030 comm="httpd" name="webauth" dev=dm-0 ino=66396 scontext=root:system_r:httpd_t:s0 tcontext=root:object_r:httpd_config_t:s0 tclass=dir

audit(1187727527.410:38): avc:  denied  { read } for  pid=2229 comm="httpd" name="keytab" dev=dm-0 ino=196626 scontext=root:system_r:httpd_t:s0 tcontext=root:object_r:user_home_t:s0 tclass=file

audit(1187727527.415:39): avc:  denied  { read } for  pid=2229 comm="httpd" name="keytab" dev=dm-0 ino=196626 scontext=root:system_r:httpd_t:s0 tcontext=root:object_r:user_home_t:s0 tclass=file

audit(1187727527.420:40): avc:  denied  { write } for  pid=2229 comm="httpd" name="service_token_cache" dev=dm-0 ino=66426 scontext=root:system_r:httpd_t:s0 tcontext=root:object_r:httpd_config_t:s0 tclass=file

 

audit2allow says

“allow httpd_t httpd_config_t:dir write;

allow httpd_t httpd_config_t:file write;

allow httpd_t user_home_t:file read;”

but this seems arbitrarily permissive.

 

What would give only access read/write access these three files?  Sorry if this is off-topic.

 

Running RHEL 5 (“ES”, 32-bit) patched.  RTFM’ed already: http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/selinux-guide/ not much help.

                

Kind Regards,

Barry Allard

Systems Administrator

Stanford Medical Informatics

+1.650.723.7270