From: David Cottle <webmaster@aus-city.com>
To: Stephen Smalley <sds@tycho.nsa.gov>
Cc: SE Linux <selinux@tycho.nsa.gov>
Subject: Re: Can someone please assist me with selinux issue
Date: Thu, 05 Jul 2007 09:30:29 +1000 [thread overview]
Message-ID: <468C2D95.2010801@aus-city.com> (raw)
In-Reply-To: <1183464455.12218.243.camel@moss-spartans.epoch.ncsc.mil>
[-- Attachment #1: Type: text/plain, Size: 2663 bytes --]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Thanks for the reply Stephen. How do I enable the 'link' permission
as you described?
Cheers!
David
Stephen Smalley wrote:
> On Tue, 2007-07-03 at 21:15 +1000, David Cottle wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Hi,
>>
>> I got a ftp session from a IP camera sending images every 1 minute.
>>
>> I keep getting these AVC messages in /var/logs/messages:
>>
>> Jul 1 04:43:40 server kernel: audit(1183229020.232:8256): avc:
>> denied { link } for pid=2043 comm="in.proftpd"
>> scontext=system_u:system_r:ftpd_t:s0
>> tcontext=system_u:system_r:ftpd_t:s0 tclass=key
>> Jul 1 04:44:40 server kernel: audit(1183229080.245:8257): avc:
>> denied { link } for pid=2061 comm="in.proftpd"
>> scontext=system_u:system_r:ftpd_t:s0
>> tcontext=system_u:system_r:ftpd_t:s0 tclass=key
>> Jul 1 04:45:40 server kernel: audit(1183229140.367:8258): avc:
>> denied { link } for pid=2259 comm="in.proftpd"
>> scontext=system_u:system_r:ftpd_t:s0
>> tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=key
>> Jul 1 04:46:40 server kernel: audit(1183229200.238:8259): avc:
>> denied { link } for pid=2267 comm="in.proftpd"
>> scontext=system_u:system_r:ftpd_t:s0
>> tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=key
>>
>> Every time there is a transfer. So at 1 minute intervals there are
>> too many. Also I want to add more webcams so no doubt its going to
>> get worse.
>>
>> However I read and created a policy:
>>
>> grep proftpd /var/log/messages | audit2allow -M proftpd
>> selinux -i proftpd.pp
>>
>>
>> However the above I STILL get the annoying AVC denied messages.
>>
>> Can someone please explain and tell me how can I update and get rid of
>> the denied messages?
>>
>> This is the proftpd.te rule it made:
>>
>> module proftpd 1.0;
>>
>> require {
>> type ftpd_t;
>> type crond_t;
>> type httpd_suexec_t;
>> class capability dac_override;
>> class key { write search };
>> }
>>
>> #============= ftpd_t ==============
>> allow ftpd_t crond_t:key search;
>> allow ftpd_t httpd_suexec_t:key search;
>> allow ftpd_t self:capability dac_override;
>> allow ftpd_t self:key { write search };
>
> You don't seem to be allowing "link" permission above, which is what was
> being denied by the audit messages you posted.
>
>> But I see crond, httpd and ftpd all there but this rule does nothing :(
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iD8DBQFGjC2Ui1lOcz5YUMgRAuctAJ9ud3yxGylHozKDgI3eIf3U7p1vTgCgpaem
3taj9Wm+FbUKTtzw1w5ksLs=
=/2aU
-----END PGP SIGNATURE-----
[-- Attachment #2: webmaster.vcf --]
[-- Type: text/x-vcard, Size: 120 bytes --]
begin:vcard
fn:David Cottle
n:Cottle;David
email;internet:webmaster@aus-city.com
title:Webmaster
version:2.1
end:vcard
next prev parent reply other threads:[~2007-07-04 23:30 UTC|newest]
Thread overview: 62+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-05-21 9:54 [patch 0/3] genhomedircon replacement in libsemanage jbrindle
2007-05-21 9:54 ` [patch 1/3] libsemanage: genhomedircon replacement jbrindle
2007-05-22 21:08 ` Karl MacMillan
2007-05-24 14:04 ` Mark Goldman
2007-05-24 14:45 ` Karl MacMillan
2007-05-24 15:44 ` Daniel J Walsh
2007-05-24 19:20 ` Mark Goldman
2007-05-25 15:52 ` Karl MacMillan
2007-05-25 17:06 ` Joshua Brindle
2007-05-26 0:02 ` Karl MacMillan
2007-05-29 20:25 ` audit2allow module generation Anand Patel
2007-05-29 21:11 ` Karl MacMillan
2007-05-30 14:44 ` Anand Patel
2007-05-31 16:05 ` Karl MacMillan
2007-06-08 15:36 ` Karl MacMillan
2007-06-11 13:47 ` Anand Patel
2007-08-30 13:43 ` Anand Patel
2007-09-03 16:13 ` Karl MacMillan
2007-09-10 14:10 ` Anand Patel
2007-09-10 16:01 ` Karl MacMillan
2007-06-19 15:09 ` [patch 1/3] libsemanage: genhomedircon replacement Joshua Brindle
2007-06-21 16:29 ` Karl MacMillan
2007-06-21 16:49 ` Joshua Brindle
2007-06-21 18:04 ` Karl MacMillan
2007-06-21 18:09 ` Joshua Brindle
2007-06-21 18:18 ` Karl MacMillan
2007-06-21 18:25 ` Joshua Brindle
2007-06-21 18:35 ` Karl MacMillan
2007-06-21 20:54 ` Eamon Walsh
2007-06-22 11:50 ` Daniel J Walsh
2007-06-22 15:22 ` Karl MacMillan
2007-06-22 15:31 ` Joshua Brindle
2007-06-22 16:04 ` Karl MacMillan
2007-06-22 16:58 ` Eamon Walsh
2007-06-22 19:30 ` Karl MacMillan
2007-06-22 20:55 ` Eamon Walsh
2007-07-02 14:00 ` Joshua Brindle
2007-07-02 14:23 ` Karl MacMillan
2007-07-02 15:54 ` Joshua Brindle
2007-07-02 21:26 ` Joshua Brindle
2007-07-03 1:12 ` James Antill
2007-07-03 11:15 ` Can someone please assist me with selinux issue David Cottle
[not found] ` <1183464455.12218.243.camel@moss-spartans.epoch.ncs! c.mil>
2007-07-03 12:07 ` Stephen Smalley
2007-07-04 23:30 ` David Cottle [this message]
2007-07-05 12:33 ` Stephen Smalley
2007-07-12 19:03 ` Libsemanage dependency on version of Linux Hasan Rezaul-CHR010
2007-07-12 19:39 ` Stephen Smalley
2007-07-12 19:48 ` Hasan Rezaul-CHR010
2007-07-12 19:57 ` Stephen Smalley
2007-07-12 19:49 ` Stephen Smalley
2007-07-02 14:54 ` [patch 1/3] libsemanage: genhomedircon replacement James Antill
2007-06-22 20:00 ` James Antill
2007-05-24 15:05 ` Steve G
2007-05-24 15:27 ` Karl MacMillan
2007-05-24 16:00 ` James Antill
2007-05-25 14:22 ` Mark Goldman
2007-05-21 9:54 ` [patch 2/3] libsemanage: test functions jbrindle
2007-05-21 9:54 ` [patch 3/3] Remove legacy genhomedircon python script jbrindle
2007-05-22 17:23 ` [patch 0/3] genhomedircon replacement in libsemanage Daniel J Walsh
2007-05-22 17:35 ` Joshua Brindle
2007-05-22 21:10 ` Karl MacMillan
2007-05-22 21:11 ` Karl MacMillan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=468C2D95.2010801@aus-city.com \
--to=webmaster@aus-city.com \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.