SElinux — SqWebMail

— domains/program/apache.te.orig
+++ domains/program/apache.te
@@ -342.3 +342.10 @@

read_sysctl(httpd_sys_script_t)
allow httpd_sys_script_t var_lib_t:dir search;
+
+#
+# sqwebmail
+#
+type sqwebmail_write_t. file_type;
+allow httpd_sys_script_t sqwebmail_write_t:sock_file write;
+allow httpd_sys_script_t unconfined_t:unix_stream_socket connectto;

— file_contexts/program/apache.fc.orig
+++ file_contexts/program/apache.fc
@@ -44.3 +44.4 @@
/usr/share/htdig(/.*)? system_u:object_r:httpd_sys_content_t
/var/lib/htdig(/.*)? system_u:object_r:httpd_sys_content_t
/etc/htdig(/.*)? system_u:object_r:httpd_sys_content_t
+/var/sqwebmail.sock system_u:object_r:sqwebmail_write_t

# pwd
/etc/selinux/targeted/src/policy
# make reload
# restorecon -R /var/sqwebmail.sock


こんなログがでる。

Mar 1 10:19:47 lachesis kernel: audit(1109639987.528:0): avc: denied { write } for pid=30831 exe=/var/www/cgi-bin/sqwebmail name=sqwebmail.sock dev=sda2 ino=13 scontext=root:system_r:httpd_sys_script_t tcontext=root:object_r:var_t tclass=sock_file
Mar 1 10:19:47 lachesis kernel: audit(1109639987.529:0): avc: denied { connectto } for pid=30831 exe=/var/www/cgi-bin/sqwebmail path=/var/sqwebmail.sock scontext=root:system_r:httpd_sys_script_t tcontext=root:system_r:unconfined_t tclass=unix_stream_socket

タイトルとURLをコピーしました