-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 06/03/2011 03:05 PM, Patrick Lists wrote: > > Hi Aleksey, > > > On 06/03/2011 01:47 AM, Aleksey Tsalolikhin wrote: >> Hi. I'm trying to get OTRS running on CentOS 5.5 with SELinux enabled, >> and audit.log / audit2allow tell me I need to add the local policy: >> >> >> #============= httpd_t ============== >> allow httpd_t unconfined_t:shm { unix_read unix_write }; >> >> which I think will allow the httpd access to read and write from shared memory? >> Is that right? What are the risks involved in opening this? I notice it is >> denied by the default policy. >> >> To simplify configuration management, I would prefer to make this setting >> using /usr/sbin/setseebool, but I don't see an sebool that deals with shm... >> >> How do I request one? (And whom do I ask?) > > Since nobody has come up with a policy for eons I guess there is little > incentive to provide one. When you go through the OTRS website it > basically only says "turn off selinux" (which imho is pretty silly). > > There was one person that tried to create a policy: > http://lists.otrs.org/pipermail/dev/2005-September/001109.html > > The #selinux channel on irc.freenode.net has always been helpful and > patient even with my n00b questions. If you have all the info from the > audit log then I would venture in there, put the audit log on a pastebin > and ask how to proceed next. > > If you create a proper policy I would appreciate it if you could keep > this list updated. From what I have read OTRS seems a nice solution but > not when I have to turn off selinux. > > Regards, > Patrick > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos Well not likely since this is not something we use with RHEL or Fedora. But what I would suggest you do is put apache into permissive mode and then see what avcs it creates. Load a custom policy module to allow the access. # semanage permissive -a httpd_t Run OTRS at boot, And attempt to interact with it via apache. I would figure there are a lot of rules to allow things like # allow httpd_t initrc_t:shm { unix_read unix_write }; Once you have a bunch of avcs you can create a custom policy module # grep initrc_t /var/log/audit/audit.log | audit2allow -M myotrs # semodule -i myotrs.pp Or ask someone on list to write a policy for this app. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk3pO08ACgkQrlYvE4MpobPUGQCfWcVIkUcfBl9FvXKYJoZx8yKA EkoAoNI2xKF02IZTYDwDLxtCqK8+0Rn0 =o/y6 -----END PGP SIGNATURE-----