logo       
<prev   next>

Choosing A Webhost:
A web hosting service is a type of Internet hosting service that allows individuals and organizations to provide their own website accessible via the World Wide Web. Web hosts are companies that provide space on a server they own for use by their clients as well as providing Internet connectivity, typically in a data center. Web hosts can also provide data center space and connectivity to the Internet for servers they do not own to be located in their data center, called colocation. more...

A few policy changes I had to make: msg#00044

Subject: A few policy changes I had to make 
This is a multi-part message in MIME format.
Hello. I started playing with SELinux on FC2, and recently moved to FC3, and I must say it's much better now, with the targeted policy. Congrats on this. I still had to change a few things in my policies, though. Following is a collection of the avc errors justifying my changes. I'm not experienced with SElinux yet, so I may be doing something wrong...please let me know if these changes are correct or not. Also, the unlink allow for httpd_t is because, for some reason, when I try to remove a file from within PHP, it uses httpd_t instead of httpd_sys_script_t . I would also like a rule(which I'm not sure how to write) to allow PHP programs to execute external programs, since I have a script which receives an uploaded file, does a lot of processing with it through external programs, and stores it in the database - when I run that, it gives me avc execute errors trying to run bash and the other utilities. 

Apache:
Nov 12 16:50:46 fireball kernel: audit(1100285446.637:0): avc: denied { connectto } for pid=2522 exe=/usr/sbin/httpd path=/tmp/.s.PGSQL.5432 scontext=user_u:system_r:httpd_t tcontext=user_u:system_r:unconfined_t tclass=unix_stream_socket 

NTPd:
Nov 11 19:51:49 fireball kernel: audit(1100209909.743:0): avc: denied { create } for pid=2293 exe=/usr/sbin/ntpd scontext=user_u:system_r:ntpd_t tcontext=user_u:system_r:ntpd_t tclass=netlink_route_socket Nov 11 19:51:49 fireball kernel: audit(1100209909.745:0): avc: denied { bind } for pid=2293 exe=/usr/sbin/ntpd scontext=user_u:system_r:ntpd_t tcontext=user_u:system_r:ntpd_t tclass=netlink_route_socket Nov 11 19:51:49 fireball kernel: audit(1100209909.745:0): avc: denied { getattr } for pid=2293 exe=/usr/sbin/ntpd scontext=user_u:system_r:ntpd_t tcontext=user_u:system_r:ntpd_t tclass=netlink_route_socket Nov 11 19:51:49 fireball kernel: audit(1100209909.747:0): avc: denied { write } for pid=2293 exe=/usr/sbin/ntpd scontext=user_u:system_r:ntpd_t tcontext=user_u:system_r:ntpd_t tclass=netlink_route_socket Nov 11 19:51:49 fireball kernel: audit(1100209909.749:0): avc: denied { net_admin } for pid=2293 exe=/usr/sbin/ntpd capability=12 scontext=user_u:system_r:ntpd_t tcontext=user_u:system_r:ntpd_t tclass=capability Nov 11 19:51:49 fireball kernel: audit(1100209909.750:0): avc: denied { nlmsg_read } for pid=2293 exe=/usr/sbin/ntpd scontext=user_u:system_r:ntpd_t tcontext=user_u:system_r:ntpd_t tclass=netlink_route_socket Nov 11 19:51:49 fireball kernel: audit(1100209909.752:0): avc: denied { read } for pid=2293 exe=/usr/sbin/ntpd scontext=user_u:system_r:ntpd_t tcontext=user_u:system_r:ntpd_t tclass=netlink_route_socket 

DHCPd:
Nov 12 23:37:25 fireball kernel: audit(1100309845.314:0): avc: denied { create } for pid=10002 exe=/usr/sbin/dhcpd scontext=root:system_r:dhcpd_t tcontext=root:system_r:dhcpd_t tclass=netlink_route_socket Nov 12 23:37:25 fireball kernel: audit(1100309845.317:0): avc: denied { bind } for pid=10002 exe=/usr/sbin/dhcpd scontext=root:system_r:dhcpd_t tcontext=root:system_r:dhcpd_t tclass=netlink_route_socket Nov 12 23:37:25 fireball kernel: audit(1100309845.320:0): avc: denied { getattr } for pid=10002 exe=/usr/sbin/dhcpd scontext=root:system_r:dhcpd_t tcontext=root:system_r:dhcpd_t tclass=netlink_route_socket Nov 12 23:37:25 fireball kernel: audit(1100309845.323:0): avc: denied { write } for pid=10002 exe=/usr/sbin/dhcpd scontext=root:system_r:dhcpd_t tcontext=root:system_r:dhcpd_t tclass=netlink_route_socket Nov 12 23:37:25 fireball kernel: audit(1100309845.325:0): avc: denied { net_admin } for pid=10002 exe=/usr/sbin/dhcpd capability=12 scontext=root:system_r:dhcpd_t tcontext=root:system_r:dhcpd_t tclass=capability Nov 12 23:37:25 fireball kernel: audit(1100309845.326:0): avc: denied { nlmsg_read } for pid=10002 exe=/usr/sbin/dhcpd scontext=root:system_r:dhcpd_t tcontext=root:system_r:dhcpd_t tclass=netlink_route_socket Nov 12 23:37:25 fireball kernel: audit(1100309845.327:0): avc: denied { read } for pid=10002 exe=/usr/sbin/dhcpd scontext=root:system_r:dhcpd_t tcontext=root:system_r:dhcpd_t tclass=netlink_route_socket Nov 12 23:37:25 fireball kernel: audit(1100309845.909:0): avc: denied { unlink } for pid=10008 exe=/usr/sbin/dhcpd name=dhcpd.leases~ dev=hda1 ino=425472 scontext=root:system_r:dhcpd_t tcontext=system_u:object_r:file_t tclass=file 

named:
Nov 12 23:41:25 fireball kernel: audit(1100310085.797:0): avc: denied { create } for pid=10183 exe=/usr/sbin/named scontext=root:system_r:named_t tcontext=root:system_r:named_t tclass=netlink_route_socket Nov 12 23:41:25 fireball kernel: audit(1100310085.798:0): avc: denied { bind } for pid=10183 exe=/usr/sbin/named scontext=root:system_r:named_t tcontext=root:system_r:named_t tclass=netlink_route_socket Nov 12 23:41:25 fireball kernel: audit(1100310085.799:0): avc: denied { getattr } for pid=10183 exe=/usr/sbin/named scontext=root:system_r:named_t tcontext=root:system_r:named_t tclass=netlink_route_socket Nov 12 23:41:25 fireball kernel: audit(1100310085.803:0): avc: denied { write } for pid=10183 exe=/usr/sbin/named scontext=root:system_r:named_t tcontext=root:system_r:named_t tclass=netlink_route_socket Nov 12 23:41:25 fireball kernel: audit(1100310085.806:0): avc: denied { nlmsg_read } for pid=10183 exe=/usr/sbin/named scontext=root:system_r:named_t tcontext=root:system_r:named_t tclass=netlink_route_socket Nov 12 23:41:25 fireball kernel: audit(1100310085.809:0): avc: denied { read } for pid=10183 exe=/usr/sbin/named scontext=root:system_r:named_t tcontext=root:system_r:named_t tclass=netlink_route_socket 

Thanks,
Rodrigo


diff -ru src.orig/policy/domains/program/apache.te 
src/policy/domains/program/apache.te
--- src.orig/policy/domains/program/apache.te   2004-11-01 19:36:22.000000000 
-0200
+++ src/policy/domains/program/apache.te        2004-11-12 23:54:36.127952796 
-0200
@@ -285,6 +285,8 @@
 # Allow httpd to work with postgresql
 #
 allow httpd_t tmp_t:sock_file rw_file_perms;
+allow httpd_t tmp_t:unix_stream_socket rw_file_perms;
+allow httpd_t unconfined_t:unix_stream_socket rw_file_perms;
 ') dnl targeted policy
 
 #
diff -ru src.orig/policy/domains/program/dhcpd.te 
src/policy/domains/program/dhcpd.te
--- src.orig/policy/domains/program/dhcpd.te    2004-11-01 19:36:22.000000000 
-0200
+++ src/policy/domains/program/dhcpd.te 2004-11-12 23:38:18.000000000 -0200
@@ -33,13 +33,14 @@
 can_ypbind(dhcpd_t)
 allow dhcpd_t self:unix_dgram_socket create_socket_perms;
 allow dhcpd_t self:unix_stream_socket create_socket_perms;
+allow dhcpd_t self:netlink_route_socket r_netlink_socket_perms;
 
 allow dhcpd_t var_lib_t:dir search;
 
 allow dhcpd_t devtty_t:chr_file { read write };
 
 # Use capabilities
-allow dhcpd_t dhcpd_t:capability { net_raw net_bind_service };
+allow dhcpd_t dhcpd_t:capability { net_raw net_admin net_bind_service };
 
 # Allow access to the dhcpd file types
 type dhcp_state_t, file_type, sysadmfile;
diff -ru src.orig/policy/domains/program/named.te 
src/policy/domains/program/named.te
--- src.orig/policy/domains/program/named.te    2004-11-01 19:36:22.000000000 
-0200
+++ src/policy/domains/program/named.te 2004-11-12 23:42:38.000000000 -0200
@@ -60,6 +60,7 @@
 # Bind to the named port.
 allow named_t dns_port_t:udp_socket name_bind;
 allow named_t { dns_port_t rndc_port_t }:tcp_socket name_bind;
+allow named_t self:netlink_route_socket r_netlink_socket_perms;
 
 bool named_write_master_zones false;
 
diff -ru src.orig/policy/domains/program/ntpd.te 
src/policy/domains/program/ntpd.te
--- src.orig/policy/domains/program/ntpd.te     2004-11-01 19:36:22.000000000 
-0200
+++ src/policy/domains/program/ntpd.te  2004-11-12 23:33:18.000000000 -0200
@@ -22,7 +22,7 @@
 # for SSP
 allow ntpd_t urandom_device_t:chr_file read;
 
-allow ntpd_t self:capability { setgid setuid sys_time net_bind_service 
ipc_lock sys_chroot };
+allow ntpd_t self:capability { setgid setuid sys_time net_bind_service 
ipc_lock sys_chroot net_admin };
 allow ntpd_t self:process { setcap setsched };
 # ntpdate wants sys_nice
 dontaudit ntpd_t self:capability { fsetid sys_nice };
@@ -39,6 +39,7 @@
 allow ntpd_t ntp_port_t:udp_socket name_bind;
 allow ntpd_t self:unix_dgram_socket create_socket_perms;
 allow ntpd_t self:unix_stream_socket create_socket_perms;
+allow ntpd_t self:netlink_route_socket r_netlink_socket_perms;
 
 # so the start script can change firewall entries
 allow initrc_t net_conf_t:file { getattr read ioctl };
diff -ru src.orig/policy/macros/program/apache_macros.te 
src/policy/macros/program/apache_macros.te
--- src.orig/policy/macros/program/apache_macros.te     2004-11-01 
19:36:22.000000000 -0200
+++ src/policy/macros/program/apache_macros.te  2004-11-12 23:01:49.000000000 
-0200
@@ -106,6 +106,7 @@
 ############################################################################
 r_dir_file(httpd_$1_script_t, httpd_$1_script_ro_t)
 create_dir_file(httpd_$1_script_t, httpd_$1_script_rw_t)
+allow httpd_t { httpd_$1_script_rw_t }:{ file dir lnk_file } { unlink };
 ra_dir_file(httpd_$1_script_t, httpd_$1_script_ra_t)
 
 if (httpd_enable_cgi) && (httpd_unified) {
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Making content readable by httpd, Ian Pilcher
Next by Date:  Linux Journal Article, James Morris
Previous by Thread:  Making content readable by httpd, Ian Pilcher
Next by Thread:  Re: A few policy changes I had to make, Daniel J Walsh
Indexes:  [Date] [Thread] [Top] [All Lists]

Google Custom Search
Recently Viewed:
qnx.openqnx.dev...    gcc.libstdc++.c...    solaris.opensol...    information-ret...    misc.misterhous...    web.catalyst.ge...    apache.webservi...    redhat.release....    hardware.lirc/2...    kernel.autofs/2...    technology.sust...    linux.vdr/2003-...    editors.lyx.gen...    org.user-groups...    netbsd.devel.pk...    xdg.devel/2004-...    version-control...    jakarta.slide.d...    debian.packages...    creativecommons...    ports.ppc.embed...    bug-tracking.bu...   
Home | blog view | USPTO Patent Archive | advertise | OSDir is an inevitable website. super tiny logo

Free Magazines

Cisco News
Receive a free quarterly e-newsletter with exclusive articles on how Cisco IT uses its own products and solutions to enable the business.
subscribe

Systems Management News, the newspaper for IT systems administration and data center managers! Each issue of Systems Management News is chock-full of news and analysis to help you understand what's happening in your field.
subscribe

The Enterprise Newsweekly eWeek is the essential technology information source for builders of e-business.
subscribe

Oracle Magazine Oracle Magazine contains technology strategy articles, sample code, tips, Oracle and partner news, how to articles for developers and DBAs, and more. Oracle (NASDAQ: ORCL) is the world's largest enterprise software company.
subscribe

Total Telecom Total Telecom is "The Economist of the communications industry".
subscribe

Navigation