FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Directory

 
 
LinkBack Thread Tools
 
Old 10-27-2010, 04:45 PM
Orion Poplawski
 
Default DSGW SELinux issues

Running on CentOS 5.4, get:

type=AVC msg=audit(1288197048.706:347260): avc: denied { execute_no_trans }
for pid=1388 comm="httpd.worker" path="/usr/lib/dirsrv/dsgw-cgi-bin/lang"
dev=dm-4 ino=225129 scontext=system_u:system_r:httpd_t:s0
tcontext=system_ubject_r:lib_t:s0 tclass=file

Looks like these are mislabeled:
[root@earth admin-serv]# ls -Z /usr/lib/dirsrv/cgi-bin
-rwxr-xr-x root root system_ubject_r:httpd_dirsrvadmin_script_exec_t admpw
-rwxr-xr-x root root system_ubject_r:httpd_dirsrvadmin_script_exec_t config
-rwxr-xr-x root root system_ubject_r:httpd_dirsrvadmin_script_exec_t download
-rwxr-xr-x root root system_ubject_r:httpd_dirsrvadmin_script_exec_t dsconfig
-rwxr-xr-x root root system_ubject_r:httpd_dirsrvadmin_script_exec_t ds_create
-rwxr-xr-x root root system_ubject_r:httpd_dirsrvadmin_script_exec_t ds_listdb
-rwxr-xr-x root root system_ubject_r:httpd_dirsrvadmin_script_exec_t ds_remove
-rwxr-xr-x root root system_ubject_r:httpd_dirsrvadmin_script_exec_t ds_restart
-rwxr-xr-x root root system_ubject_r:httpd_dirsrvadmin_script_exec_t
ds_shutdown
-rwxr-xr-x root root system_ubject_r:httpd_dirsrvadmin_script_exec_t
ds_snmpctrl
-rwxr-xr-x root root system_ubject_r:httpd_dirsrvadmin_script_exec_t ds_start
-rwxr-xr-x root root system_ubject_r:httpd_dirsrvadmin_script_exec_t
ds_unregister
-rwxr-xr-x root root system_ubject_r:httpd_dirsrvadmin_script_exec_t help
-rwxr-xr-x root root system_ubject_r:httpd_dirsrvadmin_script_exec_t htmladmin
-rwxr-xr-x root root system_ubject_r:httpd_dirsrvadmin_script_exec_t
monreplication
-rwxr-xr-x root root system_ubject_r:httpd_dirsrvadmin_script_exec_t ReadLog
-rwxr-xr-x root root system_ubject_r:httpd_dirsrvadmin_script_exec_t
repl-monitor-cgi.pl
-rwxr-xr-x root root system_ubject_r:httpd_dirsrvadmin_script_exec_t restartsrv
-rwxr-xr-x root root system_ubject_r:httpd_dirsrvadmin_script_exec_t
sec-activate
-rwxr-xr-x root root system_ubject_r:httpd_dirsrvadmin_script_exec_t security
-rwxr-xr-x root root system_ubject_r:httpd_dirsrvadmin_script_exec_t
start_config_ds
-rwxr-xr-x root root system_ubject_r:httpd_dirsrvadmin_script_exec_t
statpingserv
-rwxr-xr-x root root system_ubject_r:httpd_dirsrvadmin_script_exec_t statusping
-rwxr-xr-x root root system_ubject_r:httpd_dirsrvadmin_script_exec_t stopsrv
-rwxr-xr-x root root system_ubject_r:httpd_dirsrvadmin_script_exec_t ugdsconfig
-rwxr-xr-x root root system_ubject_r:httpd_dirsrvadmin_script_exec_t viewdata
-rwxr-xr-x root root system_ubject_r:httpd_dirsrvadmin_script_exec_t viewlog
[root@earth admin-serv]# ls -Z /usr/lib/dirsrv/dsgw-cgi-bin
-rwxr-xr-x root root system_ubject_r:lib_t auth
-rwxr-xr-x root root system_ubject_r:lib_t csearch
-rwxr-xr-x root root system_ubject_r:lib_t dnedit
-rwxr-xr-x root root system_ubject_r:lib_t doauth
-rwxr-xr-x root root system_ubject_r:lib_t domodify
-rwxr-xr-x root root system_ubject_r:lib_t dosearch
-rwxr-xr-x root root system_ubject_r:lib_t edit
-rwxr-xr-x root root system_ubject_r:lib_t lang
-rwxr-xr-x root root system_ubject_r:lib_t myorg
-rwxr-xr-x root root system_ubject_r:lib_t newentry
-rwxr-xr-x root root system_ubject_r:lib_t org
-rwxr-xr-x root root system_ubject_r:lib_t search
-rwxr-xr-x root root system_ubject_r:lib_t tutor
-rwxr-xr-x root root system_ubject_r:lib_t unauth



389-admin-1.1.11-1.el5
389-admin-console-1.1.5-1.el5
389-admin-console-doc-1.1.5-1.el5
389-adminutil-1.1.8-4.el5
389-console-1.1.4-1.el5
389-ds-1.2.1-1.el5
389-ds-base-1.2.6.1-2.el5
389-ds-console-1.2.3-1.el5
389-ds-console-doc-1.2.3-1.el5
389-dsgw-1.1.5-1.el5

File a bug?

--
Orion Poplawski
Technical Manager 303-415-9701 x222
NWRA/CoRA Division FAX: 303-415-9702
3380 Mitchell Lane orion@cora.nwra.com
Boulder, CO 80301 http://www.cora.nwra.com
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 10-27-2010, 08:42 PM
Rich Megginson
 
Default DSGW SELinux issues

Orion Poplawski wrote:
> Running on CentOS 5.4, get:
>
> type=AVC msg=audit(1288197048.706:347260): avc: denied { execute_no_trans }
> for pid=1388 comm="httpd.worker" path="/usr/lib/dirsrv/dsgw-cgi-bin/lang"
> dev=dm-4 ino=225129 scontext=system_u:system_r:httpd_t:s0
> tcontext=system_ubject_r:lib_t:s0 tclass=file
>
> Looks like these are mislabeled:
> [root@earth admin-serv]# ls -Z /usr/lib/dirsrv/cgi-bin
> -rwxr-xr-x root root system_ubject_r:httpd_dirsrvadmin_script_exec_t admpw
> -rwxr-xr-x root root system_ubject_r:httpd_dirsrvadmin_script_exec_t config
> -rwxr-xr-x root root system_ubject_r:httpd_dirsrvadmin_script_exec_t download
> -rwxr-xr-x root root system_ubject_r:httpd_dirsrvadmin_script_exec_t dsconfig
> -rwxr-xr-x root root system_ubject_r:httpd_dirsrvadmin_script_exec_t ds_create
> -rwxr-xr-x root root system_ubject_r:httpd_dirsrvadmin_script_exec_t ds_listdb
> -rwxr-xr-x root root system_ubject_r:httpd_dirsrvadmin_script_exec_t ds_remove
> -rwxr-xr-x root root system_ubject_r:httpd_dirsrvadmin_script_exec_t ds_restart
> -rwxr-xr-x root root system_ubject_r:httpd_dirsrvadmin_script_exec_t
> ds_shutdown
> -rwxr-xr-x root root system_ubject_r:httpd_dirsrvadmin_script_exec_t
> ds_snmpctrl
> -rwxr-xr-x root root system_ubject_r:httpd_dirsrvadmin_script_exec_t ds_start
> -rwxr-xr-x root root system_ubject_r:httpd_dirsrvadmin_script_exec_t
> ds_unregister
> -rwxr-xr-x root root system_ubject_r:httpd_dirsrvadmin_script_exec_t help
> -rwxr-xr-x root root system_ubject_r:httpd_dirsrvadmin_script_exec_t htmladmin
> -rwxr-xr-x root root system_ubject_r:httpd_dirsrvadmin_script_exec_t
> monreplication
> -rwxr-xr-x root root system_ubject_r:httpd_dirsrvadmin_script_exec_t ReadLog
> -rwxr-xr-x root root system_ubject_r:httpd_dirsrvadmin_script_exec_t
> repl-monitor-cgi.pl
> -rwxr-xr-x root root system_ubject_r:httpd_dirsrvadmin_script_exec_t restartsrv
> -rwxr-xr-x root root system_ubject_r:httpd_dirsrvadmin_script_exec_t
> sec-activate
> -rwxr-xr-x root root system_ubject_r:httpd_dirsrvadmin_script_exec_t security
> -rwxr-xr-x root root system_ubject_r:httpd_dirsrvadmin_script_exec_t
> start_config_ds
> -rwxr-xr-x root root system_ubject_r:httpd_dirsrvadmin_script_exec_t
> statpingserv
> -rwxr-xr-x root root system_ubject_r:httpd_dirsrvadmin_script_exec_t statusping
> -rwxr-xr-x root root system_ubject_r:httpd_dirsrvadmin_script_exec_t stopsrv
> -rwxr-xr-x root root system_ubject_r:httpd_dirsrvadmin_script_exec_t ugdsconfig
> -rwxr-xr-x root root system_ubject_r:httpd_dirsrvadmin_script_exec_t viewdata
> -rwxr-xr-x root root system_ubject_r:httpd_dirsrvadmin_script_exec_t viewlog
> [root@earth admin-serv]# ls -Z /usr/lib/dirsrv/dsgw-cgi-bin
> -rwxr-xr-x root root system_ubject_r:lib_t auth
> -rwxr-xr-x root root system_ubject_r:lib_t csearch
> -rwxr-xr-x root root system_ubject_r:lib_t dnedit
> -rwxr-xr-x root root system_ubject_r:lib_t doauth
> -rwxr-xr-x root root system_ubject_r:lib_t domodify
> -rwxr-xr-x root root system_ubject_r:lib_t dosearch
> -rwxr-xr-x root root system_ubject_r:lib_t edit
> -rwxr-xr-x root root system_ubject_r:lib_t lang
> -rwxr-xr-x root root system_ubject_r:lib_t myorg
> -rwxr-xr-x root root system_ubject_r:lib_t newentry
> -rwxr-xr-x root root system_ubject_r:lib_t org
> -rwxr-xr-x root root system_ubject_r:lib_t search
> -rwxr-xr-x root root system_ubject_r:lib_t tutor
> -rwxr-xr-x root root system_ubject_r:lib_t unauth
>
>
>
> 389-admin-1.1.11-1.el5
> 389-admin-console-1.1.5-1.el5
> 389-admin-console-doc-1.1.5-1.el5
> 389-adminutil-1.1.8-4.el5
> 389-console-1.1.4-1.el5
> 389-ds-1.2.1-1.el5
> 389-ds-base-1.2.6.1-2.el5
> 389-ds-console-1.2.3-1.el5
> 389-ds-console-doc-1.2.3-1.el5
> 389-dsgw-1.1.5-1.el5
>
> File a bug?
>
This is fixed in 389-admin-1.1.12.a1which is soon headed to a testing
repo near you
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 

Thread Tools




All times are GMT. The time now is 02:21 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org