'Re: Can someone please assist me with selinux issue'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       selinux
Subject:    Re: Can someone please assist me with selinux issue
From:       David Cottle <webmaster () aus-city ! com>
Date:       2007-07-04 23:30:29
Message-ID: 468C2D95.2010801 () aus-city ! com
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Thanks for the reply Stephen.  How do I enable the 'link' permission
as you described?

Cheers!

David

Stephen Smalley wrote:
> On Tue, 2007-07-03 at 21:15 +1000, David Cottle wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Hi,
>>
>> I got a ftp session from a IP camera sending images every 1 minute.
>>
>> I keep getting these AVC messages in /var/logs/messages:
>>
>> Jul  1 04:43:40 server kernel: audit(1183229020.232:8256): avc:
>> denied  { link } for  pid=2043 comm="in.proftpd"
>> scontext=system_u:system_r:ftpd_t:s0
>> tcontext=system_u:system_r:ftpd_t:s0 tclass=key
>> Jul  1 04:44:40 server kernel: audit(1183229080.245:8257): avc:
>> denied  { link } for  pid=2061 comm="in.proftpd"
>> scontext=system_u:system_r:ftpd_t:s0
>> tcontext=system_u:system_r:ftpd_t:s0 tclass=key
>> Jul  1 04:45:40 server kernel: audit(1183229140.367:8258): avc:
>> denied  { link } for  pid=2259 comm="in.proftpd"
>> scontext=system_u:system_r:ftpd_t:s0
>> tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=key
>> Jul  1 04:46:40 server kernel: audit(1183229200.238:8259): avc:
>> denied  { link } for  pid=2267 comm="in.proftpd"
>> scontext=system_u:system_r:ftpd_t:s0
>> tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=key
>>
>> Every time there is a transfer.  So at 1 minute intervals there are
>> too many.  Also I want to add more webcams so no doubt its going to
>> get worse.
>>
>> However I read and created a policy:
>>
>> grep proftpd /var/log/messages | audit2allow -M proftpd
>> selinux -i proftpd.pp
>>
>>
>> However the above I STILL get the annoying AVC denied messages.
>>
>> Can someone please explain and tell me how can I update and get rid of
>> the denied messages?
>>
>> This is the proftpd.te rule it made:
>>
>> module proftpd 1.0;
>>
>> require {
>>     type ftpd_t;
>>     type crond_t;
>>     type httpd_suexec_t;
>>     class capability dac_override;
>>     class key { write search };
>> }
>>
>> #============= ftpd_t ==============
>> allow ftpd_t crond_t:key search;
>> allow ftpd_t httpd_suexec_t:key search;
>> allow ftpd_t self:capability dac_override;
>> allow ftpd_t self:key { write search };
>
> You don't seem to be allowing "link" permission above, which is what was
> being denied by the audit messages you posted.
>
>> But I see crond, httpd and ftpd all there but this rule does nothing :(
>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFGjC2Ui1lOcz5YUMgRAuctAJ9ud3yxGylHozKDgI3eIf3U7p1vTgCgpaem
3taj9Wm+FbUKTtzw1w5ksLs=
=/2aU
-----END PGP SIGNATURE-----


["webmaster.vcf" (text/x-vcard)]
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic