On Fri, 2009-03-20 at 20:14 +0000, Aaron Gray wrote:
I am trying to audit2allow on F10 to allow a cgi-bin perl script to run on Apache. Runs fine in permissive mode not in enforcing.
I had to use 'setenforce 0', remove the grep, and then whittle down the code a bit.
mkdir gitweb-policy; cd gitweb-policy; echo "policy_module(gitweb, 0.0.1)" > gitweb.te echo "apache_content_template(gitweb)" >> gitweb.te echo "/var/www/git/gitweb.cgi -- gen_context(system_u:object_r:httpd_gitweb_script_exec_t, s0)" >gitweb.fc
make -f /usr/share/selinux/devel/Makefile semodule -i gitweb.pp restorecon -R -v /var/www/git/gitweb.cgi
setenforce 0;
Do the http access !
setenforce 1;
ausearch -m avc -ts today | audit2allow -R >> gitweb.te;
make -f /usr/share/selinux/devel/Makefile;
semodule -i gitweb.pp
Whittle the code down a bit to :- gitweb.te policy_module(gitweb, 0.0.1) apache_content_template(gitweb)
require { type httpd_sys_script_t; }
#============= httpd_sys_script_t ============== files_list_default(httpd_sys_script_t) files_read_default_files(httpd_sys_script_t) gitweb.fc /var/www/git/gitweb.cgi -- gen_context(system_u:object_r:httpd_gitweb_script_exec_t, s0)