Discussion:
Trying again: why am I getting denials in a directory that has been labeled...
m***@5-cent.us
2018-06-14 17:53:23 UTC
Permalink
Or, more precisely, we have a std. directory, which is bind mounted, and
which was set with semanage fcontext -a -e /var/www /actual/path/htdocs,
and a file in <directory>/htdocs/<site>/cgi-bin/sub>/<sub?file

-rw-rw-r--. apache imagej unconfined_u:object_r:httpd_sys_script_exec_t:s0

is the file's info. From the names, I'm guessing some .cgi is writing a
count to it.

What *should* it be?

mark
_______________________________________________
selinux mailing list -- ***@lists.fedoraproject.org
To unsubscribe send an email to selinux-***@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/***@lists.fedoraproject.org/message/AAZPQLYYDHM2G2WCBPJHOO7I4
Jason L Tibbitts III
2018-06-14 17:57:20 UTC
Permalink
Not sure if you realize, but you didn't actually include any information
about the denial you are receiving. It's kind of tough to guess at what
it might be.

- J<
_______________________________________________
selinux mailing list -- ***@lists.fedoraproject.org
To unsubscribe send an email to selinux-***@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/***@lists.fedoraprojec
m***@5-cent.us
2018-06-14 18:21:26 UTC
Permalink
Post by Jason L Tibbitts III
Not sure if you realize, but you didn't actually include any information
about the denial you are receiving. It's kind of tough to guess at what
it might be.
SELinux is preventing Count.cgi from write access on the file...
Source Context system_u:system_r:httpd_sys_script_t:s0
Target Context
unconfined_u:object_r:httpd_sys_script_exec_t:s0
Policy RPM selinux-policy-3.13.1-192.el7_5.3.noarch
Raw Audit Messages
type=AVC msg=audit(1528998541.365:53668): avc: denied { write } for
pid= <snip> scontext=system_u:system_r:httpd_sys_script_t:s0
tcontext=unconfined_u:object_r:httpd_sys_script_exec_t:s0 tclass=file

Better?

mark
_______________________________________________
selinux mailing list -- ***@lists.fedoraproject.org
To unsubscribe send an email to selinux-***@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/***@lists.fedoraproject.
Paul Howarth
2018-06-15 10:13:41 UTC
Permalink
On Thu, 14 Jun 2018 14:21:26 -0400
Post by m***@5-cent.us
Post by Jason L Tibbitts III
Not sure if you realize, but you didn't actually include any
information about the denial you are receiving. It's kind of tough
to guess at what it might be.
SELinux is preventing Count.cgi from write access on the file...
Source Context system_u:system_r:httpd_sys_script_t:s0
Target Context
unconfined_u:object_r:httpd_sys_script_exec_t:s0
Policy RPM selinux-policy-3.13.1-192.el7_5.3.noarch
Raw Audit Messages
type=AVC msg=audit(1528998541.365:53668): avc: denied { write } for
pid= <snip> scontext=system_u:system_r:httpd_sys_script_t:s0
tcontext=unconfined_u:object_r:httpd_sys_script_exec_t:s0 tclass=file
Better?
The file you want to write to should probably be
httpd_sys_rw_content_t rather than httpd_sys_script_exec_t.

Paul.
_______________________________________________
selinux mailing list -- ***@lists.fedoraproject.org
To unsubscribe send an email to selinux-***@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/***@lists.fedoraproject.org/message/JHEGQQVA65E
Lukas Vrabec
2018-06-17 09:27:42 UTC
Permalink
Post by Paul Howarth
On Thu, 14 Jun 2018 14:21:26 -0400
Post by m***@5-cent.us
Post by Jason L Tibbitts III
Not sure if you realize, but you didn't actually include any
information about the denial you are receiving. It's kind of tough
to guess at what it might be.
SELinux is preventing Count.cgi from write access on the file...
Source Context system_u:system_r:httpd_sys_script_t:s0
Target Context
unconfined_u:object_r:httpd_sys_script_exec_t:s0
Policy RPM selinux-policy-3.13.1-192.el7_5.3.noarch
Raw Audit Messages
type=AVC msg=audit(1528998541.365:53668): avc: denied { write } for
pid= <snip> scontext=system_u:system_r:httpd_sys_script_t:s0
tcontext=unconfined_u:object_r:httpd_sys_script_exec_t:s0 tclass=file
Better?
The file you want to write to should probably be
httpd_sys_rw_content_t rather than httpd_sys_script_exec_t.
Agree with Paul, however should be file you want to write be executed as
cgi-bin script?

Lukas.
Post by Paul Howarth
Paul.
_______________________________________________
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
--
Lukas Vrabec
Software Engineer, Security Technologies
Red Hat, Inc.
_______________________________________________
selinux mailing list -- ***@lists.fedoraproject.org
To unsubscribe send an email to selinux-***@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/***@lists.fedoraproject.org/message/WF6W7B337L6ZZBG5UIHJHAYZ7
Loading...