-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 10/27/2010 10:59 AM, Hiisi wrote:
Dear all!
I would like one of the computers on a LAN to send some files to another
computer on the same LAN using scp. Both computers can ping each other
without any problems and I set up ssh using keys authentication to work
without passwords. The task I'm talking about should be done in
automatic way so I wrote the following script (the part of it has been
erased for the purpose of simplicity):
...
OUTFILE=$(mktemp /tmp/out.XXXXXX)
chmod 666 $OUTFILE
...
scp $OUTFILE user@192.168.3.30:/home/user/
...
It doesn't work as expected. It creates the desired file in /tmp dir on
local machine but it doesn't copy it to remote machine. Instead I see a
lot of avc denial messages in dmesg output:
type=1400 audit(1288189100.508:9): avc: denied { name_connect } for
pid=9059 comm="ssh" dest=22 scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:object_r:ssh_port_t:s0 tclass=tcp_socket
The script on the sender machine is invocated by procmail. I tested this
scp command manually and it can be done without any restriction. However
it doesn't work when it's in a script. How can I tell selinux (is it him
whom to blame?) to allow scp from a script?
TIA
P.S. Additional info:
# sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: permissive
Mode from config file: enforcing
Policy version: 24
Policy from config file: targeted
P.S.2 I don't want to disable SELinux completely because this system
is connected to the Interned and has static IP address. I see a lot of
interesting in root mail every day :-)
Use audit2allow to add the rule
# grep procmail /var/log/audit/audit.log | audit2allow -M myprocmail
# semodule -i myprocmail.pp
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora -
http://enigmail.mozdev.org/
iEYEARECAAYFAkzIP6sACgkQrlYvE4MpobO9sQCeLGuFWouWU8pQaQeBRJFvCLZn
mrMAn3S540LNZQCsMxz1eAHmJVj7UIHy
=k971
-----END PGP SIGNATURE-----