Hongwei Li wrote:
Hi,
I have a fc3 linux (kernel 2.6.10-1.770_FC3) with selinux enforced, targeted policy 1.17.30-2.96. I try to use squirrelmail's plugin change_passwd, but got denied. The system log shows:
Apr 14 09:42:59 pippo kernel: audit(1113489779.011:0): avc: denied { search } for pid=13211 exe=/bin/bash name=src dev=hda6 ino=425174 scontext=root:system_r:httpd_sys_script_t tcontext=system_u:object_r:src_t tclass=dir Apr 14 09:42:59 pippo kernel: audit(1113489779.012:0): avc: denied { setuid } for pid=13211 exe=/usr/bin/chpasswd capability=7 scontext=root:system_r:httpd_sys_script_t tcontext=root:system_r:httpd_sys_script_t tclass=capability
I can use that plugin's command in ssh console, but just not from the web. Should I change the targeted policy to make it working? If yes, how to modify the policy?
Thanks a lot!
Hongwei Li
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list
The only way to do this currently is to install selinux-policy-targeted-sources.
Then you can edit apache rules to allow this priv. The problem with this is priv is that it will allow Any cgi script to execute setuid applications. The best solution would be to write policy for change_passwd and then have a domain transfer to this application.
--
I am new to selinux, especially for policy editing/writing. Could you please tell me how to do it in each way (I have installed the sources):
1. how to edit apache rules to allow this priv?
2. how to write a policy for change_passwd and then have a domain transfer to it?
I appreciate your help!
Hongwei