Re: FC3 and selinux
From: Daniel J Walsh (dwalsh_at_redhat.com)
Date: 03/09/05
- Previous message: Phil Savoie: "Looking for a simple web based app..."
- In reply to: Hans Müller: "FC3 and selinux"
- Next in thread: Hans Müller: "Re: FC3 and selinux"
- Reply: Hans Müller: "Re: FC3 and selinux"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Wed, 09 Mar 2005 07:51:51 -0500 To: For users of Fedora Core releases <fedora-list@redhat.com>
Hans Müller wrote:
>Hello, after update from FC2 to FC3 and enabled SELinux with:
>
>1. Edit /etc/selinux/config and change the type of policy to SELINUXTYPE=policyname.
>2. To ensure that you can return from a reboot, set the mode to SELINUX=permissive. This way SELinux
>will be running under the correct policy, but will let you login if there is a problem such as
>incorrect file context labeling.
>3.
>Tell the init scripts to relabel the system on reboot with the command touch /.autorelabel.
>4.
>Reboot the system. A clean restart under the new policy allows all system processes to be started in
>the proper context, and reveals any problems in the policy change.
>5. Confirm your changes took effect with the command sestatus -v. With the new system running in
>permissive mode, check /var/log/messages for avc: denied messages. These may indicate a problem that
>needs to be solved for the system to run without trouble under the new policy.
>
>and at step 5 I have entry with the avc: denied messages.
>This have i found:
>Mar 9 13:19:00 homer kernel: audit(1110370740.023:0): avc: denied { unlink } for pid=5797
>exe=/usr/sbin/httpd name=ssl_mutex.5797 dev=hda1 ino=1063633 scontext=root:system_r:httpd_t
>tcontext=root:object_r:httpd_log_t tclass=file
>
>
Is there a way to get these files creates somewhere else? We might need
to change policy, but allowing httpd the ability to unlink log files
is not an option. Since this would allow a cracker to cleanup his tracks.
>Mar 9 13:19:00 homer httpd: Starten von httpd succeeded
>Mar 9 13:19:01 homer kernel: audit(1110370741.003:0): avc: denied { getattr } for pid=5798
>exe=/usr/sbin/httpd path=/etc/php.ini dev=hda1 ino=246465 scontext=root:system_r:httpd_t
>tcontext=system_u:object_r:etc_t tclass=lnk_file
>
>
>
Why is /etc/php.ini a link file?
>what must I do to correct this??
>
>
-- Learn, Network and Experience Open Source. Red Hat Summit, New Orleans 2005 http://www.redhat.com/promo/summit/ -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
- Previous message: Phil Savoie: "Looking for a simple web based app..."
- In reply to: Hans Müller: "FC3 and selinux"
- Next in thread: Hans Müller: "Re: FC3 and selinux"
- Reply: Hans Müller: "Re: FC3 and selinux"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
