* Re: I am add a custom rule, know how 2 do te file, what about fc file, please help
2006-03-26 1:38 I am add a custom rule, know how 2 do te file, what about fc file, please help Rongdong Lu
@ 2006-03-27 14:56 ` Serge E. Hallyn
2006-03-28 12:15 ` I am add a custom rule, know how 2 do te file, what about fc file, please he Rongdong Lu
2006-03-27 18:51 ` I am add a custom rule, know how 2 do te file, what about fc file, please help Daniel J Walsh
2006-03-27 19:09 ` Stephen Smalley
2 siblings, 1 reply; 5+ messages in thread
From: Serge E. Hallyn @ 2006-03-27 14:56 UTC (permalink / raw)
To: Rongdong Lu; +Cc: SELinux
Quoting Rongdong Lu (qdmudong@hotmail.com):
> Hi, List,
>
> Selinux has been driving me real crazy for the last serveral weeks, now
> finally I'am getting some clue.
>
> Here's a problem i am having now. I have a centos4 server, with selinux
> turned on, I can't use php to send out mail. I am using
> selinux-policy-targeted-1.17.30-2.126. I am trying to add a custom rule the
> first time.
>
> here is the error messge in messages log:
>
> Mar 25 20:19:14 example kernel: audit(1143335954.882:36): avc: denied {
> execute } for pid=10036 comm="sh" name="sendmail" dev=sda5 ino=1228853
> scontext=root:system_r:httpd_sys_script_t tcontext=system_u:object_r:var_t
> tclass=file
You need to allow domain transitions from httpd_sys_script_t to
sendmail_t. Haven't used the old targeted in quite some time, but I
think
file_type_auto_trans(httpd_sys_script_t, sendmail_exec_t, sendmail_t)
should work.
Except, looking at the old sources, that may not be right - sendmail_t
is only for the daemon?
Regardless, that's the sort of thing you need to fix - looks like no file
contexts need to be changed.
> Mar 25 20:19:14 example kernel: audit(1143335954.882:37): avc: denied {
> getattr } for pid=10036 comm="sh" name="sendmail" dev=sda5 ino=1228853
> scontext=root:system_r:httpd_sys_script_t tcontext=system_u:object_r:var_t
> tclass=file
>
> I know I can use audit2allow to get the rule to add in to a te file, but
> what do I add to the fc file? I couldn't find which is the command trys to
> access sendmail, a process with that pid one didn't exist after the error
> message is generated.
>
> any advice is appeciated, thanks in advance, guys
-serge
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 5+ messages in thread* Re: I am add a custom rule, know how 2 do te file, what about fc file, please he
2006-03-27 14:56 ` Serge E. Hallyn
@ 2006-03-28 12:15 ` Rongdong Lu
0 siblings, 0 replies; 5+ messages in thread
From: Rongdong Lu @ 2006-03-28 12:15 UTC (permalink / raw)
To: SELinux
Thanks for the help,
Serge, Daniel and Stephen, it just became too complicated for me to handle,
I finally disabled selinux. It's such a waste of time in terms of
progress(I am 2, 3 weeks behind my schedule because of selinux), but I did
learn a lot about it.
Guess I will wait until a well tuned selinux comes out.
best,
Ron
>From: "Serge E. Hallyn" <serue@us.ibm.com>
>To: Rongdong Lu <qdmudong@hotmail.com>
>CC: SELinux@tycho.nsa.gov
>Subject: Re: I am add a custom rule, know how 2 do te file, what about fc
>file, please help
>Date: Mon, 27 Mar 2006 08:56:56 -0600
>
>Quoting Rongdong Lu (qdmudong@hotmail.com):
> > Hi, List,
> >
> > Selinux has been driving me real crazy for the last serveral weeks, now
> > finally I'am getting some clue.
> >
> > Here's a problem i am having now. I have a centos4 server, with selinux
> > turned on, I can't use php to send out mail. I am using
> > selinux-policy-targeted-1.17.30-2.126. I am trying to add a custom rule
>the
> > first time.
> >
> > here is the error messge in messages log:
> >
> > Mar 25 20:19:14 example kernel: audit(1143335954.882:36): avc: denied
>{
> > execute } for pid=10036 comm="sh" name="sendmail" dev=sda5 ino=1228853
> > scontext=root:system_r:httpd_sys_script_t
>tcontext=system_u:object_r:var_t
> > tclass=file
>
>You need to allow domain transitions from httpd_sys_script_t to
>sendmail_t. Haven't used the old targeted in quite some time, but I
>think
>
> file_type_auto_trans(httpd_sys_script_t, sendmail_exec_t, sendmail_t)
>
>should work.
>
>Except, looking at the old sources, that may not be right - sendmail_t
>is only for the daemon?
>
>Regardless, that's the sort of thing you need to fix - looks like no file
>contexts need to be changed.
>
> > Mar 25 20:19:14 example kernel: audit(1143335954.882:37): avc: denied
>{
> > getattr } for pid=10036 comm="sh" name="sendmail" dev=sda5 ino=1228853
> > scontext=root:system_r:httpd_sys_script_t
>tcontext=system_u:object_r:var_t
> > tclass=file
> >
> > I know I can use audit2allow to get the rule to add in to a te file, but
> > what do I add to the fc file? I couldn't find which is the command trys
>to
> > access sendmail, a process with that pid one didn't exist after the
>error
> > message is generated.
> >
> > any advice is appeciated, thanks in advance, guys
>
>-serge
_________________________________________________________________
On the road to retirement? Check out MSN Life Events for advice on how to
get there! http://lifeevents.msn.com/category.aspx?cid=Retirement
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: I am add a custom rule, know how 2 do te file, what about fc file, please help
2006-03-26 1:38 I am add a custom rule, know how 2 do te file, what about fc file, please help Rongdong Lu
2006-03-27 14:56 ` Serge E. Hallyn
@ 2006-03-27 18:51 ` Daniel J Walsh
2006-03-27 19:09 ` Stephen Smalley
2 siblings, 0 replies; 5+ messages in thread
From: Daniel J Walsh @ 2006-03-27 18:51 UTC (permalink / raw)
To: Rongdong Lu; +Cc: SELinux
Rongdong Lu wrote:
> Hi, List,
>
> Selinux has been driving me real crazy for the last serveral weeks,
> now finally I'am getting some clue.
>
> Here's a problem i am having now. I have a centos4 server, with
> selinux turned on, I can't use php to send out mail. I am using
> selinux-policy-targeted-1.17.30-2.126. I am trying to add a custom
> rule the first time.
>
> here is the error messge in messages log:
>
> Mar 25 20:19:14 example kernel: audit(1143335954.882:36): avc:
> denied { execute } for pid=10036 comm="sh" name="sendmail" dev=sda5
> ino=1228853 scontext=root:system_r:httpd_sys_script_t
> tcontext=system_u:object_r:var_t tclass=file
> Mar 25 20:19:14 example kernel: audit(1143335954.882:37): avc:
> denied { getattr } for pid=10036 comm="sh" name="sendmail" dev=sda5
> ino=1228853 scontext=root:system_r:httpd_sys_script_t
> tcontext=system_u:object_r:var_t tclass=file
>
Looks like you need to change the context of a script out on var_t? try
chcon -t httpd_sys_script_t PATHTOSCRIPT?
> I know I can use audit2allow to get the rule to add in to a te file,
> but what do I add to the fc file? I couldn't find which is the command
> trys to access sendmail, a process with that pid one didn't exist
> after the error message is generated.
>
> any advice is appeciated, thanks in advance, guys
>
> Ron
>
> _________________________________________________________________
> Is your PC infected? Get a FREE online computer virus scan from
> McAfee® Security.
> http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
>
>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to
> majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 5+ messages in thread* Re: I am add a custom rule, know how 2 do te file, what about fc file, please help
2006-03-26 1:38 I am add a custom rule, know how 2 do te file, what about fc file, please help Rongdong Lu
2006-03-27 14:56 ` Serge E. Hallyn
2006-03-27 18:51 ` I am add a custom rule, know how 2 do te file, what about fc file, please help Daniel J Walsh
@ 2006-03-27 19:09 ` Stephen Smalley
2 siblings, 0 replies; 5+ messages in thread
From: Stephen Smalley @ 2006-03-27 19:09 UTC (permalink / raw)
To: Rongdong Lu; +Cc: Daniel J Walsh, SELinux
On Sun, 2006-03-26 at 01:38 +0000, Rongdong Lu wrote:
> Hi, List,
>
> Selinux has been driving me real crazy for the last serveral weeks, now
> finally I'am getting some clue.
>
> Here's a problem i am having now. I have a centos4 server, with selinux
> turned on, I can't use php to send out mail. I am using
> selinux-policy-targeted-1.17.30-2.126. I am trying to add a custom rule the
> first time.
>
> here is the error messge in messages log:
>
> Mar 25 20:19:14 example kernel: audit(1143335954.882:36): avc: denied {
> execute } for pid=10036 comm="sh" name="sendmail" dev=sda5 ino=1228853
> scontext=root:system_r:httpd_sys_script_t tcontext=system_u:object_r:var_t
> tclass=file
> Mar 25 20:19:14 example kernel: audit(1143335954.882:37): avc: denied {
> getattr } for pid=10036 comm="sh" name="sendmail" dev=sda5 ino=1228853
> scontext=root:system_r:httpd_sys_script_t tcontext=system_u:object_r:var_t
> tclass=file
>
> I know I can use audit2allow to get the rule to add in to a te file, but
> what do I add to the fc file? I couldn't find which is the command trys to
> access sendmail, a process with that pid one didn't exist after the error
> message is generated.
>
> any advice is appeciated, thanks in advance, guys
What does 'ls -Z /usr/bin/sendmail.sendmail' show?
You only need to create/modify a .fc file if you want to alter the file
security contexts. The policy Makefile will complain if you create
a .te file under domains/program without a matching .fc file over in
file_contexts/program, but you can create arbitary .te files under
domains/misc without creating any matching .fc file.
BTW, simply allowing the above is likely not what you want, but I'm not
sure what options exist in centos systems for proper policy for sendmail
et al (without switching to strict policy), or if they have a boolean
for this case. I think similar questions have been asked in the past on
fedora-selinux-list about php and mail.
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 5+ messages in thread