[CentOS] How to set selinux policy "allow httpd_t unconfined_t:shm { unix_read unix_write }; " using an seboolean? (How to get a new seboolean?)

Fri Jun 3 19:51:43 UTC 2011
Daniel J Walsh <dwalsh at redhat.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 06/03/2011 03:05 PM, Patrick Lists wrote:
> 
> Hi Aleksey,
> 
> 
> On 06/03/2011 01:47 AM, Aleksey Tsalolikhin wrote:
>> Hi.  I'm trying to get OTRS running on CentOS 5.5 with SELinux enabled,
>> and audit.log / audit2allow tell me I need to add the local policy:
>>
>>
>> #============= httpd_t ==============
>> allow httpd_t unconfined_t:shm { unix_read unix_write };
>>
>> which I think will allow the httpd access to read and write from shared memory?
>> Is that right?  What are the risks involved in opening this?  I notice it is
>> denied by the default policy.
>>
>> To simplify configuration management, I would prefer to make this setting
>> using /usr/sbin/setseebool, but I don't see an sebool that deals with shm...
>>
>> How do I request one?  (And whom do I ask?)
> 
> Since nobody has come up with a policy for eons I guess there is little 
> incentive to provide one. When you go through the OTRS website it 
> basically only says "turn off selinux" (which imho is pretty silly).
> 
> There was one person that tried to create a policy:
> http://lists.otrs.org/pipermail/dev/2005-September/001109.html
> 
> The #selinux channel on irc.freenode.net has always been helpful and 
> patient even with my n00b questions. If you have all the info from the 
> audit log then I would venture in there, put the audit log on a pastebin 
> and ask how to proceed next.
> 
> If you create a proper policy I would appreciate it if you could keep 
> this list updated. From what I have read OTRS seems a nice solution but 
> not when I have to turn off selinux.
> 
> Regards,
> Patrick
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos

Well not likely since this is not something we use with RHEL or Fedora.
 But what I would suggest you do is put apache into permissive mode and
then see what avcs it creates.  Load a custom policy module to allow the
access.

# semanage permissive -a httpd_t
Run  OTRS  at boot,  And attempt to interact with it via apache.

I would figure there are a lot of rules to allow things like


# allow httpd_t initrc_t:shm { unix_read unix_write };


Once you have a bunch of avcs you can create a custom policy module

# grep initrc_t /var/log/audit/audit.log | audit2allow -M myotrs
# semodule -i myotrs.pp

Or ask someone on list to write a policy for this app.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk3pO08ACgkQrlYvE4MpobPUGQCfWcVIkUcfBl9FvXKYJoZx8yKA
EkoAoNI2xKF02IZTYDwDLxtCqK8+0Rn0
=o/y6
-----END PGP SIGNATURE-----