>>SELinux Mailing List

Contents

Overview

What's New

Frequently Asked Questions

Background

Documentation

License

Download

Participating

Mail List

Archive Summary

Archive by Thread

Archive by Author

Archive by Date

Archive by Subject

Remaining Work

Contributors

Related Work

Press Releases

Re: SELinux policy configuration tutorial?

From: Tracy R Reed <treed_at_ultraviolet.org>
Date: Wed, 21 Nov 2001 01:32:04 -0800

On Mon, Nov 19, 2001 at 08:37:53AM -0500, Stephen Smalley wrote:
> I don't think anyone has written a general tutorial. However, you'll find
> quite a bit of useful information in the security server section of the
> first technical report, the entire second technical report, and the OLS
> 2001 paper, all of which are on the web site. Several people outside of

Thanks. I am slowly making progress. Over the last few nights I've been going though "A Security Policy Configuration for the Security-Enhanced Linux" in the documentation section and I have noticed that I get a 404 if I stop reading and pick it up again later. Looks like the url changes periodically. Odd.

A policy question: I didn't have apache installed at the time I installed SELinux but now I want to install, make it run some useful web app, and try to secure it. SELinux seems to come with a policy for the stock apache install so I installed the rpm that normally comes with RH6.1.

Then I did:

make relabel && make load

Just to make sure the newly installed files get assigned the right type and the policy gets compiled and loaded. But when I try to start apache I get permission denied:

[root@tracy policy]# /etc/rc.d/init.d/httpd start Starting httpd: execvp: Permission denied [root@tracy init.d]# /usr/sbin/httpd
bash: /usr/sbin/httpd: Permission denied [root@tracy init.d]#
[root@tracy init.d]# ls -la /usr/sbin/httpd -rwxr-xr-x 1 root root 337500 Mar 29 2001 /usr/sbin/httpd [root@tracy init.d]# ls -la --context /usr/sbin/httpd -rwxr-xr-x root root system_u:object_r:httpd_exec_t /usr/sbin/httpd

What am I missing here?

Also, I notice that when I log in as the user "jdoe" and do an ls -la on / the jdoe user sees this:

ls: lost+found: Permission denied
ls: ...security: Permission denied

Not much good for hiding files is it?

As a result of the ls I get this in the messages file:

Nov 21 01:03:53 bench3 kernel: avc:  denied  { getattr } for  pid=9640 exe=/usr/local/selinux/bin/ls path=/...security dev=08:01 ino=38857
Nov 21 01:03:53 bench3 kernel:    scontext=jdoe:user_r:user_t
Nov 21 01:03:53 bench3 kernel:    tcontext=system_u:object_r:file_labels_t
Nov 21 01:03:53 bench3 kernel:    tclass=dir

I'm not sure if I would really want the ls of every user in / to set that off but even more of a problem is that the message takes up four lines in the messages file. I normally run logcheck once an hour which sends me anything interesting from the logfiles after filtering out the bits I have deemed non-interesting so it would be quite convenient to have it all on one line.

-- Tracy Reed http://www.ultraviolet.org

-- You have received this message because you are subscribed to the selinux list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.

application/pgp-signature attachment: stored

Received on Wed 21 Nov 2001 - 03:36:52 EST

This message: [ Message body ]
Next message: Tracy R Reed: "Re: SELinux policy configuration tutorial?"
Previous message: Grant Bayley: "Re: Updated release"
In reply to: Stephen Smalley: "Re: SELinux policy configuration tutorial?"
Next in thread: Tracy R Reed: "Re: SELinux policy configuration tutorial?"
Reply: Tracy R Reed: "Re: SELinux policy configuration tutorial?"
Reply: Stephen Smalley: "Re: SELinux policy configuration tutorial?"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

This archive was generated by hypermail 2.2.0 on Wed 11 Jun 2008 - 08:10:26 EDT