rhel selinux question

From: Barry Allard <ballard_at_nospam>
Date: Thu Aug 23 2007 - 18:19:15 GMT
To: <fedora-selinux-list@redhat.com>

If someone would be so kind to answer a noob question. When installing an apache authentication extension called WebAuth (3.5.4), it works great with selinux disabled (setenforce 0), but turn on enforcement (setenforce 1), bam, cant read/write the necessary files. To selinux, perhaps it looks like rogue code trying to modify configuration files.

Files:

/etc/httpd/conf/webauth/keytab

/etc/httpd/conf/webauth/keyring

/etc/httpd/conf/webauth/service_token_cache

Messages:

audit(1187726388.800:5): avc: denied { write } for pid=2030 comm="httpd" name="webauth" dev=dm-0 ino=66396 scontext=root:system_r:httpd_t:s0 tcontext=root:object_r:httpd_config_t:s0 tclass=dir

audit(1187727527.410:38): avc: denied { read } for pid=2229 comm="httpd" name="keytab" dev=dm-0 ino=196626 scontext=root:system_r:httpd_t:s0 tcontext=root:object_r:user_home_t:s0 tclass=file

audit(1187727527.415:39): avc: denied { read } for pid=2229 comm="httpd" name="keytab" dev=dm-0 ino=196626 scontext=root:system_r:httpd_t:s0 tcontext=root:object_r:user_home_t:s0 tclass=file

audit(1187727527.420:40): avc: denied { write } for pid=2229 comm="httpd" name="service_token_cache" dev=dm-0 ino=66426 scontext=root:system_r:httpd_t:s0 tcontext=root:object_r:httpd_config_t:s0 tclass=file

audit2allow says

"allow httpd_t httpd_config_t:dir write;

allow httpd_t httpd_config_t:file write;

allow httpd_t user_home_t:file read;"

but this seems arbitrarily permissive.

What would give only access read/write access these three files? Sorry if this is off-topic.

Running RHEL 5 ("ES", 32-bit) patched. RTFM'ed already: http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/selinux-guide/ not much help.

Kind Regards,

Barry Allard

Systems Administrator

Stanford Medical Informatics

+1.650.723.7270

-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list

This message: [ Message body ]
Next message: Wart: "ps not showing contexts?"
Previous message: Jason L Tibbitts III: "sendmail->nscd log noise?"
Next in thread: Ken YANG: "Re: rhel selinux question"
Reply: Ken YANG: "Re: rhel selinux question"
Maybe reply: Barry Allard: "RE: rhel selinux question"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ]