How to set selinux policy "allow httpd_t unconfined_t:shm { unix_read unix_write }; " using an seboolean? (How to get a new seboolean?)
Hi. I'm trying to get OTRS running on CentOS 5.5 with SELinux enabled, and audit.log / audit2allow tell me I need to add the local policy:
#============= httpd_t ============== allow httpd_t unconfined_t:shm { unix_read unix_write };
which I think will allow the httpd access to read and write from shared memory? Is that right? What are the risks involved in opening this? I notice it is denied by the default policy.
To simplify configuration management, I would prefer to make this setting using /usr/sbin/setseebool, but I don't see an sebool that deals with shm...
How do I request one? (And whom do I ask?)
Thanks, -at
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 06/02/2011 07:47 PM, Aleksey Tsalolikhin wrote:
Hi. I'm trying to get OTRS running on CentOS 5.5 with SELinux enabled, and audit.log / audit2allow tell me I need to add the local policy:
#============= httpd_t ============== allow httpd_t unconfined_t:shm { unix_read unix_write };
which I think will allow the httpd access to read and write from shared memory? Is that right? What are the risks involved in opening this? I notice it is denied by the default policy.
To simplify configuration management, I would prefer to make this setting using /usr/sbin/setseebool, but I don't see an sebool that deals with shm...
How do I request one? (And whom do I ask?)
Thanks, -at _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Not sure what OTRS is but it looks like you are running it as a user? (unconfined_t), Does this usually run as a service started at boot time?
Allowing this would just mean apache is able to read/write logged in users shared memory.
On 06/03/2011 08:41 PM, Daniel J Walsh wrote: [snip]
Not sure what OTRS is but it looks like you are running it as a user? (unconfined_t), Does this usually run as a service started at boot time?
It is Help Desk/Ticket software similar to Bugzilla. http://otrs.org/ It is started at boot through init. The RPMs currently available at otrs.org do not have any SELinux policies and seem to install everything under /opt/otrs.
Hope this helps.
Regards, Patrick
Hi Aleksey,
On 06/03/2011 01:47 AM, Aleksey Tsalolikhin wrote:
Hi. I'm trying to get OTRS running on CentOS 5.5 with SELinux enabled, and audit.log / audit2allow tell me I need to add the local policy:
#============= httpd_t ============== allow httpd_t unconfined_t:shm { unix_read unix_write };
which I think will allow the httpd access to read and write from shared memory? Is that right? What are the risks involved in opening this? I notice it is denied by the default policy.
To simplify configuration management, I would prefer to make this setting using /usr/sbin/setseebool, but I don't see an sebool that deals with shm...
How do I request one? (And whom do I ask?)
Since nobody has come up with a policy for eons I guess there is little incentive to provide one. When you go through the OTRS website it basically only says "turn off selinux" (which imho is pretty silly).
There was one person that tried to create a policy: http://lists.otrs.org/pipermail/dev/2005-September/001109.html
The #selinux channel on irc.freenode.net has always been helpful and patient even with my n00b questions. If you have all the info from the audit log then I would venture in there, put the audit log on a pastebin and ask how to proceed next.
If you create a proper policy I would appreciate it if you could keep this list updated. From what I have read OTRS seems a nice solution but not when I have to turn off selinux.
Regards, Patrick
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 06/03/2011 03:05 PM, Patrick Lists wrote:
Hi Aleksey,
On 06/03/2011 01:47 AM, Aleksey Tsalolikhin wrote:
Hi. I'm trying to get OTRS running on CentOS 5.5 with SELinux enabled, and audit.log / audit2allow tell me I need to add the local policy:
#============= httpd_t ============== allow httpd_t unconfined_t:shm { unix_read unix_write };
which I think will allow the httpd access to read and write from shared memory? Is that right? What are the risks involved in opening this? I notice it is denied by the default policy.
To simplify configuration management, I would prefer to make this setting using /usr/sbin/setseebool, but I don't see an sebool that deals with shm...
How do I request one? (And whom do I ask?)
Since nobody has come up with a policy for eons I guess there is little incentive to provide one. When you go through the OTRS website it basically only says "turn off selinux" (which imho is pretty silly).
There was one person that tried to create a policy: http://lists.otrs.org/pipermail/dev/2005-September/001109.html
The #selinux channel on irc.freenode.net has always been helpful and patient even with my n00b questions. If you have all the info from the audit log then I would venture in there, put the audit log on a pastebin and ask how to proceed next.
If you create a proper policy I would appreciate it if you could keep this list updated. From what I have read OTRS seems a nice solution but not when I have to turn off selinux.
Regards, Patrick _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Well not likely since this is not something we use with RHEL or Fedora. But what I would suggest you do is put apache into permissive mode and then see what avcs it creates. Load a custom policy module to allow the access.
# semanage permissive -a httpd_t Run OTRS at boot, And attempt to interact with it via apache.
I would figure there are a lot of rules to allow things like
# allow httpd_t initrc_t:shm { unix_read unix_write };
Once you have a bunch of avcs you can create a custom policy module
# grep initrc_t /var/log/audit/audit.log | audit2allow -M myotrs # semodule -i myotrs.pp
Or ask someone on list to write a policy for this app.
-
Aleksey Tsalolikhin -
Daniel J Walsh -
Patrick Lists