[ale] SElinux, Fedora3, and postgresql
Chris Ricker
kaboom at gatech.edu
Sat Nov 27 08:54:47 EST 2004
On Fri, 26 Nov 2004, James P. Kinney III wrote:
> Success! Found the tool audit2allow and added the following to the
> policy.conf file:
Good deal -- that's what I was going to recommend doing with the avc:
denied's. The main thing to watch with that is that what it does will often
be too permissive....
> #line 83
> allow httpd_sys_script_t port_type:{ tcp_socket udp_socket } { send_msg
> recv_msg };
> #line 83
> allow httpd_sys_script_t sysctl_kernel_t:dir search;
> #line 83
> allow httpd_sys_script_t sysctl_t:dir search;
> #line 83
> allow httpd_sys_script_t tmp_t:sock_file write;
> #line 83
> allow httpd_sys_script_t httpd_sys_content_t:lnk_file read;
> #line 83
> allow httpd_sys_script_t sysctl_kernel_t:file read;
> #line 83
> allow httpd_sys_script_t unconfined_t:unix_stream_socket connectto;
>
>
> NOTE** This allows sql-ledger to run on FC3. I have NOT done a full
> policy analysis to determine if this opens up more than I want to have
> open.
I'd think you probably want to change the domain of sql-ledger to be
different from any other CGIs, and do your allows just for whatever domain
you use for sql-ledger. Right now, it's going to treat the entire
httpd_sys_script_t domain (which includes all CGIs) the same.... If that's
the only CGI you plan on having on there, though, I wouldn't worry about it.
later,
chris
More information about the Ale
mailing list