Choosing A Webhost:
A web hosting service is a type of Internet hosting service that allows individuals and organizations to provide their own website accessible via the World Wide Web. Web hosts are companies that provide space on a server they own for use by their clients as well as providing Internet connectivity, typically in a data center. Web hosts can also provide data center space and connectivity to the Internet for servers they do not own to be located in their data center, called colocation. more...
|
Re: Adding two new booleans to httpd to tighten it's security.: msg#00038
|
Subject: |
Re: Adding two new booleans to httpd to tighten it's security. |
On Sam 10 décembre 2005 18:54, Daniel J Walsh wrote:
> Nicolas Mailhot wrote:
>> I'd really appreciate if more effort was expanded in fixing existing
>> AVCs rather than adding new blocking rules.
>>
> Which avc's are you talking about. We have been working hard to fix all
> avc's when we can.
How about having selinux play nice with spamassassin at last ?
It's still not able to create resolver sockets
"Error creating a DNS resolver socket"
or writing in its own files
cannot create tmp lockfile ~/.spamassassin/bayes.lock.xxx
cannot write to ~/.spamassassin/user_pref
(this has been reported many many times)
Or else fix fstab-sync
avc: denied { getattr } for pid=2572 comm="fstab-sync" name="/"
dev=tmpfs ino=5287 scontext=system_u:system_r:updfstab_t:s0
tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir
(again, reported many times)
Or else not break basic stuff like thunderbird
avc: denied { execmem } for pid=2950 comm="thunderbird-bin"
scontext=user_u:system_r:unconfined_t:s0-s0:c0.c255
tcontext=user_u:system_r:unconfined_t:s0-s0:c0.c255 tclass=process
or gpm
avc: denied { write } for pid=2420 comm="gpm" name="mice" dev=tmpfs
ino=4118 scontext=system_u:system_r:gpm_t:s0
tcontext=system_u:object_r:mouse_device_t:s0 tclass=chr_file
these two are new, but since I spare you the stuff which has been fixed
lately I figured it was only fair to add new breakage
# audit2allow </var/log/audit/audit.log
allow dovecot_auth_t dovecot_var_run_t:dir search;
allow dovecot_auth_t tmp_t:dir getattr;
allow dovecot_auth_t usr_t:lnk_file read;
allow gpm_t mouse_device_t:chr_file write;
allow sysadm_su_t etc_runtime_t:file read;
allow sysadm_su_t tmp_t:dir getattr;
allow sysadm_su_t usr_t:lnk_file read;
allow unconfined_t self:process execmem;
allow updfstab_t tmpfs_t:dir getattr;
This with selinux-policy-targeted-2.1.2-1
I'd like to write there is some progress, but the length of my AVC list
seems to be stable over time, new stuff breaks as often as old stuff gets
fixed, and the overall length is not shrinking.
Regards,
--
Nicolas Mailhot
|
| |
