On Wed, 2007-02-07 at 12:40 +0000, Dan Track wrote:
> Hi
>
> I'm hoping someone can help me with this. I'm running a process that's
> getting the following violations:
>
> Feb 7 11:54:34 jupiter kernel: audit(1170849274.441:2160): avc:
> denied { getattr } for pid=11754 comm="beltane_cp" name="yule"
> dev=sda3 ino=145930 scontext=root:system_r:httpd_sys_script_t
> tcontext=system_u:object_r:var_lib_t tclass=dir
> Feb 7 11:54:35 jupiter kernel: audit(1170849275.859:2161): avc:
> denied { getsession } for pid=27224 comm="httpd"
> scontext=root:system_r:httpd_t tcontext=root:system_r:unconfined_t
> tclass=process
>
> What I did next was to run the following:
>
> audit2allow -i /var/log/messages
>
> and I get the following output
>
> allow httpd_sys_script_t var_lib_t:dir getattr;
> allow httpd_t unconfined_t:process getsession;
>
> Which I enter into
>
> /etc/selinux/targeted/src/policy/domains/misc/local.te
Suggestion: Take such questions to fedora-selinux-list in the future.
So this is a FC4 system? In FC5 and later, you would instead be
creating a loadable policy module.
> Then from the policy directory I run
>
> make load
>
> Upon which I get the following error
>
> /usr/bin/checkpolicy -o /etc/selinux/targeted/policy/policy.18 policy.conf
> /usr/bin/checkpolicy: loading policy configuration from policy.conf
> security: 3 users, 4 roles, 355 types, 26 bools
> security: 55 classes, 22619 rules
> assertion on line 25169 violated by allow httpd_t unconfined_t:process
> { getsession };
> make: *** [/etc/selinux/targeted/policy/policy.18] Error 1
>
> I don't know what this means, I've tried to look it up i.e google
> search, but to no avail. Any ideas?
The policy includes a set of assertions (neverallow rules) to catch
common errors and potentially unsafe rules. In a FC4 or earlier policy,
they would live in the file policy/assert.te. In this case, the
neverallow rule is guarding against accidentally allowing a confined
process like httpd from operating on an unconfined process, as that
could open you up to an attack, although this particular access
(getsession i.e. getsid(2)) is relatively benign unto itself - the more
interesting question is what will your process then try to do with the
session ID it gets for the unconfined process.
If you truly need to allow it, you can adjust or remove the neverallow
rule from policy/assert.te.
-
--
Stephen Smalley
National Security Agency
