-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 03/14/2013 11:23 AM, Jean-David Beyer wrote:
On 03/14/2013 10:50 AM, m.roth(a)5-cent.us wrote:
> CentOS 6.4 (probably not the current kernel) selinux-policy,
> selinux-policy-targetd 3.7.19-155.el6_3.14
>
> And we're running SiteMinder from CA (and have *zero* control over that,
> don't get me started)
>
> unconfined_u:system_r:httpd_t:s0 apache <...> LLAWP
> /etc/httpd/conf/WebAgent.conf -APACHE22 apache root
> unconfined_u:object_r:httpd_log_t:s0 /var/log/httpd/agent.log
>
> So, why would I get AVCs, and running them through audit2allow gives me:
> #============= httpd_t ============== allow httpd_t httpd_log_t:file
> write;
>
> Why on earth can't something running as httpd_t write to a logfile of
> httpd_log_t in /var/log/httpd/?
>
We are blocking write and allowing append. Which works for most situations.
In this case you probably should add the rule. Write means a hacker could
truncate the logs while append means he could only append to the end.
> And then there's this...
>
> #============= setroubleshootd_t ============== allow setroubleshootd_t
> httpd_sys_script_t:dir read; allow setroubleshootd_t
> httpd_sys_script_t:file getattr;
>
> Shouldn't setroubleshootd have rights?
>
> mark
This is strange, I would be surprised with this one, could you send the
avc's. This is just setroublshootd_t looking at the process state.
My comment may be unhelpful because I do not even run apache, but I
do run
Red Hat Enterprise Linux Server release 6.4 (Santiago) that is surely up to
date as of yesterday. My kernel is kernel-2.6.32-358.0.1.el6.x86_64
Although I just received a new one: kernel-2.6.32-358.2.1.el6.x86_64
I run with SELinux enabled in enforcing mode
But what I notice is this:
$ rpm -qa | grep selinux selinux-policy-targeted-3.7.19-195.el6_4.3.noarch
libselinux-2.0.94-5.3.el6.i686 libselinux-utils-2.0.94-5.3.el6.x86_64
libselinux-python-2.0.94-5.3.el6.x86_64
selinux-policy-3.7.19-195.el6_4.3.noarch libselinux-2.0.94-5.3.el6.x86_64
I have no selinux-policy-targetd package installed.
And no such file on my machine:
$ locate selinux-policy-targetd $
That is a typo.
selinux-policy-targeted-3.7.19-195.el6_4.3.noarch
Is this a package you had to load to get apache to work? Or are
CentOS 6.4
and Red Hat Enterprise Linux 6.4 that different?
-- selinux mailing list selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird -
http://www.enigmail.net/
iEYEARECAAYFAlFCFgAACgkQrlYvE4MpobNaiQCfW0h0KZkkUkBUQE4teZE7tKn4
xp4AoJgsWuM0n7IDgPpyYQI4HpuUbjIy
=PXot
-----END PGP SIGNATURE-----