Zdravím.
prokousal jsem se skrz nejake SELinux FAQ pro Fedora Core 5 a porad mi to nejde rozebehnout.
libsepol.check_assertion_helper: assertion on line 0 violated by allow httpd_sys_script_t shadow_t:file { read };
Zatim jsem vyzkousel:
cd /usr/share/selinux/devel
audit2allow -m local -l -i /var/log/messages > local2.te
module local 1.0;
require {
class file { execute execute_no_trans read };
type httpd_sys_script_t;
type httpd_t;
type shadow_t;
type usr_t;
role system_r;
};
allow httpd_sys_script_t httpd_t:file read;
allow httpd_sys_script_t shadow_t:file read;
allow httpd_sys_script_t usr_t:file { execute execute_no_trans };
checkmodule -M -m -o local2.mod local2.te
checkmodule: loading policy configuration from local2.te
checkmodule: policy configuration loaded
checkmodule: writing binary representation (version 6) to local2.mod
semodule_package -o local2.pp -m local2.mod
semodule -i local2.pp
libsepol.check_assertion_helper: assertion on line 0 violated by allow httpd_sys_script_t shadow_t:file { read };
libsepol.check_assertions: 1 assertion violations occured
libsemanage.semanage_expand_sandbox: Expand module failed
semodule: Failed!
V squirrelmail_vacation_proxy.c je blokovano:
if ((spw=getspnam(puid))==NULL)
{
printf("Invalid user\n ");
exit(1);
}
A tohle se mi vubec nedari, porad se to chova stejne, asi necemu nerozumim:
Q: How do I write policy to allow a domain to use pam_unix.so?
A: Very few domains in the SELinux world are allowed to read the /etc/shadow file. There are constraint rules that prevent policy writers from writing code like
allow mydomain_t shadow_t:file read;
In RHEL4 you can setup your domain to use the unix_chkpwd command. The easiest way is to use the unix_chkpwd attribute. So if you were writing policy for an ftpd daemon you would write something like
daemon_domain(vsftpd, `auth_chkpwd’)
This would create a context where vsftpd_t -> chkpwd_exec_t -> system_chkpwd_t which can read /etc/shadow, while vsftpd_t is not able to read it.
In Fedora Core 5/RHEL5, add the rule
auth_domtrans_chk_passwd(vsftpd_t)
balicek: squirrelmail-1.4.8-1.fc5
plugin: Vacation Local http://www.squirrelmail.org/plugin_view.php?id=51
mnohem radsi bych SUID nez FTP
–
S pozdravem
Ing. Zdeněk Havránek, HAF