On 2/7/07, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote:
On Wed, 2007-02-07 at 12:40 +0000, Dan Track wrote: > Hi > > I'm hoping someone can help me with this. I'm running a process that's > getting the following violations: > > Feb 7 11:54:34 jupiter kernel: audit(1170849274.441:2160): avc: > denied { getattr } for pid=11754 comm="beltane_cp" name="yule" > dev=sda3 ino=145930 scontext=root:system_r:httpd_sys_script_t > tcontext=system_u:object_r:var_lib_t tclass=dir > Feb 7 11:54:35 jupiter kernel: audit(1170849275.859:2161): avc: > denied { getsession } for pid=27224 comm="httpd" > scontext=root:system_r:httpd_t tcontext=root:system_r:unconfined_t > tclass=process > > What I did next was to run the following: > > audit2allow -i /var/log/messages > > and I get the following output > > allow httpd_sys_script_t var_lib_t:dir getattr; > allow httpd_t unconfined_t:process getsession; > > Which I enter into > > /etc/selinux/targeted/src/policy/domains/misc/local.te Suggestion: Take such questions to fedora-selinux-list in the future. So this is a FC4 system? In FC5 and later, you would instead be creating a loadable policy module. > Then from the policy directory I run > > make load > > Upon which I get the following error > > /usr/bin/checkpolicy -o /etc/selinux/targeted/policy/policy.18 policy.conf > /usr/bin/checkpolicy: loading policy configuration from policy.conf > security: 3 users, 4 roles, 355 types, 26 bools > security: 55 classes, 22619 rules > assertion on line 25169 violated by allow httpd_t unconfined_t:process > { getsession }; > make: *** [/etc/selinux/targeted/policy/policy.18] Error 1 > > I don't know what this means, I've tried to look it up i.e google > search, but to no avail. Any ideas? The policy includes a set of assertions (neverallow rules) to catch common errors and potentially unsafe rules. In a FC4 or earlier policy, they would live in the file policy/assert.te. In this case, the neverallow rule is guarding against accidentally allowing a confined process like httpd from operating on an unconfined process, as that could open you up to an attack, although this particular access (getsession i.e. getsid(2)) is relatively benign unto itself - the more interesting question is what will your process then try to do with the session ID it gets for the unconfined process. If you truly need to allow it, you can adjust or remove the neverallow rule from policy/assert.te. - -- Stephen Smalley National Security Agency -- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Hi Stephen Firstly apologies for sending to the wrong list. Thanks for the advice it was really an eye opener. I trawlled through the assert.te file in my selinux src directory, however I can tell which rule to remove, could you please guide to which rule it is. Currently my file looks like this: neverallow { domain -unrestricted -snmpd_t -pegasus_t } unconfined_t:process ~sigchld; # Confined domains must never see unconfined domain's /proc/pid entries. neverallow { domain -unrestricted -snmpd_t -pegasus_t } unconfined_t:dir { getattr search }; # # Verify that every type that can be entered by # a domain is also tagged as a domain. # neverallow domain ~domain:process transition; # for gross mistakes in policy neverallow domain domain:dir ~r_dir_perms; neverallow domain domain:file_class_set ~{ setattr rw_file_perms }; neverallow domain file_type:process *; neverallow ~{ domain unlabeled_t } *:process *; Many thanks Dan