* apache rule to make it write in directory
@ 2004-06-24 12:37 Pascal Hahn
2004-06-24 14:32 ` Russell Coker
0 siblings, 1 reply; 8+ messages in thread
From: Pascal Hahn @ 2004-06-24 12:37 UTC (permalink / raw)
To: SELinux
Hi there,
I got the problem that my apache2 under selinux running on gentoo linux is
not able to write to a certain directory under htdocs which i need to be
writable.
I need a rule to make it write in that directory but didnt find a
possibility to do so by now.
Perhaps someone can help me out here.
Thanks
Pascal Hahn
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: apache rule to make it write in directory
2004-06-24 12:37 apache rule to make it write in directory Pascal Hahn
@ 2004-06-24 14:32 ` Russell Coker
2004-06-25 6:35 ` Pascal Hahn
0 siblings, 1 reply; 8+ messages in thread
From: Russell Coker @ 2004-06-24 14:32 UTC (permalink / raw)
To: Pascal Hahn; +Cc: SELinux
On Thu, 24 Jun 2004 22:37, Pascal Hahn <p.hahn@laufwerka.de> wrote:
> I got the problem that my apache2 under selinux running on gentoo linux is
> not able to write to a certain directory under htdocs which i need to be
> writable.
>
> I need a rule to make it write in that directory but didnt find a
> possibility to do so by now.
>
> Perhaps someone can help me out here.
Please show us the AVC messages from the access that is denied and then it
should be easy to demonstrate how to customise the policy to do what you
require.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: apache rule to make it write in directory
2004-06-24 14:32 ` Russell Coker
@ 2004-06-25 6:35 ` Pascal Hahn
2004-06-25 7:51 ` Russell Coker
0 siblings, 1 reply; 8+ messages in thread
From: Pascal Hahn @ 2004-06-25 6:35 UTC (permalink / raw)
Cc: SELinux
Russell Coker schrieb:
>On Thu, 24 Jun 2004 22:37, Pascal Hahn <p.hahn@laufwerka.de> wrote:
>
>
>>I got the problem that my apache2 under selinux running on gentoo linux is
>>not able to write to a certain directory under htdocs which i need to be
>>writable.
>>
>>I need a rule to make it write in that directory but didnt find a
>>possibility to do so by now.
>>
>>Perhaps someone can help me out here.
>>
>>
>
>Please show us the AVC messages from the access that is denied and then it
>should be easy to demonstrate how to customise the policy to do what you
>require.
>
>
>
heres my output i get from avc messages:
/Jun 16 13:39:36 lboxx avc: denied { write } for pid=3161
exe=/usr/sbin/apache2 path=/var/www/localhost/lwa/infos/auth.tmp
dev=hdc6 ino=96389 scontext=system_u:system_r:httpd_t
tcontext=system_u:object_r:httpd_sys_content_t tclass=file
Jun 16 16:22:16 lboxx avc: denied { write } for pid=3215
exe=/usr/sbin/apache2 name=infos dev=hdc6 ino=96403
scontext=system_u:system_r:httpd_t
tcontext=system_u:object_r:httpd_sys_content_t tclass=dir/
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: apache rule to make it write in directory
@ 2004-06-30 10:24 Pascal Hahn
0 siblings, 0 replies; 8+ messages in thread
From: Pascal Hahn @ 2004-06-30 10:24 UTC (permalink / raw)
To: SELinux
Russell Coker wrote:
> On Fri, 25 Jun 2004 16:35, Pascal Hahn <p.hahn@laufwerka.de> wrote:
>
>
>> heres my output i get from avc messages:
>>
>> /Jun 16 13:39:36 lboxx avc: denied { write } for pid=3161
>> exe=/usr/sbin/apache2 path=/var/www/localhost/lwa/infos/auth.tmp
>> dev=hdc6 ino=96389 scontext=system_u:system_r:httpd_t
>> tcontext=system_u:object_r:httpd_sys_content_t tclass=file
>>
>
>
> Try the following:
> file_type_auto_trans(httpd_t, httpd_sys_content_t,
> httpd_sys_script_rw_t, file)
>
>
>
Hi there,
I inserted the rule but get the following error although:
Jun 30 12:45:30 lboxx avc: denied { write } for pid=3190
exe=/usr/sbin/apache2 name=ip.tmp dev=hdc6 ino=96390
scontext=system_u:system_r:httpd_t
tcontext=system_u:object_r:httpd_sys_content_t tclass=file
Jun 30 12:45:30 lboxx avc: denied { setattr } for pid=3190
exe=/usr/sbin/apache2 name=ip.tmp dev=hdc6 ino=96390
scontext=system_u:system_r:httpd_t
tcontext=system_u:object_r:httpd_sys_content_t tclass=file
I just need file creation, chmodding, reading and writing on this folder
and all its subolders.
Thanks,
Pascal Hahn
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 8+ messages in thread* Re: apache rule to make it write in directory
@ 2004-06-30 10:41 Pascal Hahn
2004-06-30 14:27 ` Russell Coker
0 siblings, 1 reply; 8+ messages in thread
From: Pascal Hahn @ 2004-06-30 10:41 UTC (permalink / raw)
To: SELinux
Russell Coker wrote:
> On Fri, 25 Jun 2004 16:35, Pascal Hahn <p.hahn@laufwerka.de> wrote:
>
>
>> heres my output i get from avc messages:
>>
>> /Jun 16 13:39:36 lboxx avc: denied { write } for pid=3161
>> exe=/usr/sbin/apache2 path=/var/www/localhost/lwa/infos/auth.tmp
>> dev=hdc6 ino=96389 scontext=system_u:system_r:httpd_t
>> tcontext=system_u:object_r:httpd_sys_content_t tclass=file
>>
>
>
> Try the following:
> file_type_auto_trans(httpd_t, httpd_sys_content_t,
> httpd_sys_script_rw_t, file)
>
>
>
Hi there,
I inserted the rule but get the following error although:
Jun 30 12:45:30 lboxx avc: denied { write } for pid=3190
exe=/usr/sbin/apache2 name=ip.tmp dev=hdc6 ino=96390
scontext=system_u:system_r:httpd_t
tcontext=system_u:object_r:httpd_sys_content_t tclass=file
Jun 30 12:45:30 lboxx avc: denied { setattr } for pid=3190
exe=/usr/sbin/apache2 name=ip.tmp dev=hdc6 ino=96390
scontext=system_u:system_r:httpd_t
tcontext=system_u:object_r:httpd_sys_content_t tclass=file
I just need file creation, chmodding, reading and writing on this folder
and all its subolders.
Thanks,
Pascal Hahn
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 8+ messages in thread* Re: apache rule to make it write in directory
2004-06-30 10:41 Pascal Hahn
@ 2004-06-30 14:27 ` Russell Coker
2004-07-01 11:32 ` Pascal Hahn
0 siblings, 1 reply; 8+ messages in thread
From: Russell Coker @ 2004-06-30 14:27 UTC (permalink / raw)
To: Pascal Hahn; +Cc: SELinux
On Wed, 30 Jun 2004 20:41, Pascal Hahn <p.hahn@laufwerka.de> wrote:
> Russell Coker wrote:
> > On Fri, 25 Jun 2004 16:35, Pascal Hahn <p.hahn@laufwerka.de> wrote:
> >> heres my output i get from avc messages:
> >>
> >> /Jun 16 13:39:36 lboxx avc: denied { write } for pid=3161
> >> exe=/usr/sbin/apache2 path=/var/www/localhost/lwa/infos/auth.tmp
> >> dev=hdc6 ino=96389 scontext=system_u:system_r:httpd_t
> >> tcontext=system_u:object_r:httpd_sys_content_t tclass=file
> >
> > Try the following:
> > file_type_auto_trans(httpd_t, httpd_sys_content_t,
> > httpd_sys_script_rw_t, file)
>
> I inserted the rule but get the following error although:
>
>
> Jun 30 12:45:30 lboxx avc: denied { write } for pid=3190
> exe=/usr/sbin/apache2 name=ip.tmp dev=hdc6 ino=96390
> scontext=system_u:system_r:httpd_t
> tcontext=system_u:object_r:httpd_sys_content_t tclass=file
The following should solve it:
chcon -t httpd_sys_script_rw_t ip.tmp
Same goes for all other files like it, and you want an entry in
file_contexts/misc/custom.fc to avoid accidentally relabelling it back.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 8+ messages in thread* Re: apache rule to make it write in directory
2004-06-30 14:27 ` Russell Coker
@ 2004-07-01 11:32 ` Pascal Hahn
0 siblings, 0 replies; 8+ messages in thread
From: Pascal Hahn @ 2004-07-01 11:32 UTC (permalink / raw)
To: russell; +Cc: SELinux
Russell Coker schrieb:
>On Wed, 30 Jun 2004 20:41, Pascal Hahn <p.hahn@laufwerka.de> wrote:
>
>
>>Russell Coker wrote:
>>
>>
>>>On Fri, 25 Jun 2004 16:35, Pascal Hahn <p.hahn@laufwerka.de> wrote:
>>>
>>>
>>>>heres my output i get from avc messages:
>>>>
>>>>/Jun 16 13:39:36 lboxx avc: denied { write } for pid=3161
>>>>exe=/usr/sbin/apache2 path=/var/www/localhost/lwa/infos/auth.tmp
>>>>dev=hdc6 ino=96389 scontext=system_u:system_r:httpd_t
>>>>tcontext=system_u:object_r:httpd_sys_content_t tclass=file
>>>>
>>>>
>>>Try the following:
>>>file_type_auto_trans(httpd_t, httpd_sys_content_t,
>>>httpd_sys_script_rw_t, file)
>>>
>>>
>>I inserted the rule but get the following error although:
>>
>>
>>Jun 30 12:45:30 lboxx avc: denied { write } for pid=3190
>>exe=/usr/sbin/apache2 name=ip.tmp dev=hdc6 ino=96390
>>scontext=system_u:system_r:httpd_t
>>tcontext=system_u:object_r:httpd_sys_content_t tclass=file
>>
>>
>
>The following should solve it:
>chcon -t httpd_sys_script_rw_t ip.tmp
>
>Same goes for all other files like it, and you want an entry in
>file_contexts/misc/custom.fc to avoid accidentally relabelling it back.
>
>
>
Hi there,
I fixed all my errors and inserted an own role called laufwerka_t. all
runs fine. also sudo is doing its job nicely until it should execute the
reboot command. I only get an error from apache called :
Could not set exec context to system_u:system_r:laufwerka_t.
The laufwerka_t also got a filetype called laufwerka_src_t
here is the most important parts of the definitions i made:
domains/program/laufwerka.te:
type laufwerka_t, admin, domain, auth_chkpwd, privuser, privrole,
privlog, privowner, mlstrustedreader, mlstrustedwriter,
mlstrustedobject, privfd;
role sysadm_r types laufwerka_t;
file_contexts/program/laufwerka.fc:
/var/www/[^/]+/lwa(/.*)? system_u:object_r:laufwerka_src_t
types/files.te:
type laufwerka_src_t, file_type, sysadmfile;
and finally the changes i made to the apache macro:
domain_auto_trans(httpd_t, laufwerka_src_t, laufwerka_t)
Can anyone now tell me how i can use sudo to execute my reboot?
Thanks a lot
Pascal Hahn
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2004-07-01 11:32 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-06-24 12:37 apache rule to make it write in directory Pascal Hahn
2004-06-24 14:32 ` Russell Coker
2004-06-25 6:35 ` Pascal Hahn
2004-06-25 7:51 ` Russell Coker
-- strict thread matches above, loose matches on Subject: below --
2004-06-30 10:24 Pascal Hahn
2004-06-30 10:41 Pascal Hahn
2004-06-30 14:27 ` Russell Coker
2004-07-01 11:32 ` Pascal Hahn
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.