nastavení SELinux - nechodí mi: squirrelmail + vacation_local SUID

Zdravím.

prokousal jsem se skrz nejake SELinux FAQ pro Fedora Core 5 a porad mi to nejde rozebehnout.

libsepol.check_assertion_helper: assertion on line 0 violated by allow httpd_sys_script_t shadow_t:file { read };

Zatim jsem vyzkousel:

cd /usr/share/selinux/devel
audit2allow -m local -l -i /var/log/messages > local2.te

module local 1.0;
require {
class file { execute execute_no_trans read };
type httpd_sys_script_t;
type httpd_t;
type shadow_t;
type usr_t;
role system_r;
};
allow httpd_sys_script_t httpd_t:file read;
allow httpd_sys_script_t shadow_t:file read;
allow httpd_sys_script_t usr_t:file { execute execute_no_trans };

checkmodule -M -m -o local2.mod local2.te

checkmodule: loading policy configuration from local2.te
checkmodule: policy configuration loaded
checkmodule: writing binary representation (version 6) to local2.mod

semodule_package -o local2.pp -m local2.mod
semodule -i local2.pp

libsepol.check_assertion_helper: assertion on line 0 violated by allow httpd_sys_script_t shadow_t:file { read };
libsepol.check_assertions: 1 assertion violations occured
libsemanage.semanage_expand_sandbox: Expand module failed
semodule: Failed!

V squirrelmail_vacation_proxy.c je blokovano:
if ((spw=getspnam(puid))==NULL)
{
printf("Invalid user\n ");
exit(1);
}

A tohle se mi vubec nedari, porad se to chova stejne, asi necemu nerozumim:

Q: How do I write policy to allow a domain to use pam_unix.so?

A: Very few domains in the SELinux world are allowed to read the /etc/shadow file. There are constraint rules that prevent policy writers from writing code like

allow mydomain_t shadow_t:file read;

In RHEL4 you can setup your domain to use the unix_chkpwd command. The easiest way is to use the unix_chkpwd attribute. So if you were writing policy for an ftpd daemon you would write something like

daemon_domain(vsftpd, `auth_chkpwd’)

This would create a context where vsftpd_t -> chkpwd_exec_t -> system_chkpwd_t which can read /etc/shadow, while vsftpd_t is not able to read it.

In Fedora Core 5/RHEL5, add the rule

auth_domtrans_chk_passwd(vsftpd_t)

balicek: squirrelmail-1.4.8-1.fc5
plugin: Vacation Local http://www.squirrelmail.org/plugin_view.php?id=51
mnohem radsi bych SUID nez FTP


S pozdravem

Ing. Zdeněk Havránek, HAF

Uprimne bych vam doporucoval zkusit se obratit spise na nejakou odbornejsi konferenci, zde se zpravidla resi pouze znacne zacatecnike dotazy.

Já bych ještě dodal že SELINUX pro pracovní stanici je skoro zbytečný, význam to má spíš na serverech.

Vsak ja mam linux jen na serverech. Spousta ostatniho softu me nuti zustat na stanicich u MS Windows.

Kde byste mi doporučili se zeptat? Krome konzultaci s Googlem a s kolegou jsem se naposledy pred lety ptal na linux@linux.cz, ale tam uz to taky moc nadejne nevypada.