If someone would be so kind to answer a noob question. When installing an apache authentication extension called WebAuth (3.5.4), it works great with selinux disabled (setenforce 0), but turn on enforcement (setenforce 1), bam, cant read/write the necessary files. To selinux, perhaps it looks like rogue code trying to modify configuration files.
Files:
/etc/httpd/conf/webauth/keytab
/etc/httpd/conf/webauth/keyring
/etc/httpd/conf/webauth/service_token_cache
Messages:
audit(1187726388.800:5): avc: denied { write } for pid=2030 comm="httpd" name="webauth" dev=dm-0 ino=66396 scontext=root:system_r:httpd_t:s0 tcontext=root:object_r:httpd_config_t:s0 tclass=dir
audit(1187727527.410:38): avc: denied { read } for pid=2229 comm="httpd" name="keytab" dev=dm-0 ino=196626 scontext=root:system_r:httpd_t:s0 tcontext=root:object_r:user_home_t:s0 tclass=file
audit(1187727527.415:39): avc: denied { read } for pid=2229 comm="httpd" name="keytab" dev=dm-0 ino=196626 scontext=root:system_r:httpd_t:s0 tcontext=root:object_r:user_home_t:s0 tclass=file
audit(1187727527.420:40): avc: denied { write } for pid=2229 comm="httpd" name="service_token_cache" dev=dm-0 ino=66426 scontext=root:system_r:httpd_t:s0 tcontext=root:object_r:httpd_config_t:s0 tclass=file
audit2allow says
"allow httpd_t httpd_config_t:dir write;
allow httpd_t httpd_config_t:file write;
allow httpd_t user_home_t:file read;"
but this seems arbitrarily permissive.
What would give only access read/write access these three files? Sorry if this is off-topic.
Running RHEL 5 ("ES", 32-bit) patched. RTFM'ed already: http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/selinux-guide/ not much help.
Kind Regards,
Barry Allard
Systems Administrator
Stanford Medical Informatics
+1.650.723.7270
Barry Allard wrote:
If someone would be so kind to answer a noob question. When installing an apache authentication extension called WebAuth (3.5.4), it works great with selinux disabled (setenforce 0), but turn on enforcement (setenforce 1), bam, cant read/write the necessary files. To selinux, perhaps it looks like rogue code trying to modify configuration files.
Files:
/etc/httpd/conf/webauth/keytab
/etc/httpd/conf/webauth/keyring
/etc/httpd/conf/webauth/service_token_cache
Messages:
audit(1187726388.800:5): avc: denied { write } for pid=2030 comm="httpd" name="webauth" dev=dm-0 ino=66396 scontext=root:system_r:httpd_t:s0 tcontext=root:object_r:httpd_config_t:s0 tclass=dir
audit(1187727527.410:38): avc: denied { read } for pid=2229 comm="httpd" name="keytab" dev=dm-0 ino=196626 scontext=root:system_r:httpd_t:s0 tcontext=root:object_r:user_home_t:s0 tclass=file
audit(1187727527.415:39): avc: denied { read } for pid=2229 comm="httpd" name="keytab" dev=dm-0 ino=196626 scontext=root:system_r:httpd_t:s0 tcontext=root:object_r:user_home_t:s0 tclass=file
audit(1187727527.420:40): avc: denied { write } for pid=2229 comm="httpd" name="service_token_cache" dev=dm-0 ino=66426 scontext=root:system_r:httpd_t:s0 tcontext=root:object_r:httpd_config_t:s0 tclass=file
audit2allow says
"allow httpd_t httpd_config_t:dir write;
allow httpd_t httpd_config_t:file write;
allow httpd_t user_home_t:file read;"
but this seems arbitrarily permissive.
What would give only access read/write access these three files? Sorry if this is off-topic.
if you only want to permit to access these three files, you can define specific type about these files, e.g. webauth_config_t, and associate these types with corresponding files in ".fc" file.
after installing your own module, you restorecon the label of your files, then this policy module will give access only to these files
Running RHEL 5 ("ES", 32-bit) patched. RTFM'ed already: http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/selinux-guide/ not much help.
Kind Regards,
Barry Allard
Systems Administrator
Stanford Medical Informatics
+1.650.723.7270
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Ken YANG wrote:
Barry Allard wrote:
If someone would be so kind to answer a noob question. When installing an apache authentication extension called WebAuth (3.5.4), it works great with selinux disabled (setenforce 0), but turn on enforcement (setenforce 1), bam, cant read/write the necessary files. To selinux, perhaps it looks like rogue code trying to modify configuration files.
Files:
/etc/httpd/conf/webauth/keytab
/etc/httpd/conf/webauth/keyring
/etc/httpd/conf/webauth/service_token_cache
First off if these files need to be written to by a daemon, I would suggest to the author, they be moved to /var, which is where variable data should be, I think if you label the directory httpd_sys_script_rw_t these avc's will dissapear
chcon -R -t httpd_sys_script_rw_t /etc/httpd/conf/webauth Of course this will allow all system scripts to rw these files, DAC permissions are still in effect.
Is this package in Fedora?
Messages:
audit(1187726388.800:5): avc: denied { write } for pid=2030 comm="httpd" name="webauth" dev=dm-0 ino=66396 scontext=root:system_r:httpd_t:s0 tcontext=root:object_r:httpd_config_t:s0 tclass=dir
audit(1187727527.410:38): avc: denied { read } for pid=2229 comm="httpd" name="keytab" dev=dm-0 ino=196626 scontext=root:system_r:httpd_t:s0 tcontext=root:object_r:user_home_t:s0 tclass=file
audit(1187727527.415:39): avc: denied { read } for pid=2229 comm="httpd" name="keytab" dev=dm-0 ino=196626 scontext=root:system_r:httpd_t:s0 tcontext=root:object_r:user_home_t:s0 tclass=file
audit(1187727527.420:40): avc: denied { write } for pid=2229 comm="httpd" name="service_token_cache" dev=dm-0 ino=66426 scontext=root:system_r:httpd_t:s0 tcontext=root:object_r:httpd_config_t:s0 tclass=file
audit2allow says
"allow httpd_t httpd_config_t:dir write;
allow httpd_t httpd_config_t:file write;
allow httpd_t user_home_t:file read;"
but this seems arbitrarily permissive.
What would give only access read/write access these three files? Sorry if this is off-topic.
if you only want to permit to access these three files, you can define specific type about these files, e.g. webauth_config_t, and associate these types with corresponding files in ".fc" file.
after installing your own module, you restorecon the label of your files, then this policy module will give access only to these files
Running RHEL 5 ("ES", 32-bit) patched. RTFM'ed already: http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/selinux-guide/ not much help.
Kind Regards,
Barry Allard
Systems Administrator
Stanford Medical Informatics
+1.650.723.7270
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
selinux@lists.fedoraproject.org