Sysadmin Ramblings

In this example I was trying to serve files up from samba and lighttpd at the same time. I made the type for the files samba_share_t. After that, lighttpd couldn’t access the files. I needed to make an selinux module to fix the problem. Here are the steps to create the module quickly.

First, I seeded the audit log by trying to access files from lighttpd, then I looked at the last few lines of audit.log and made a module using audit2allow.


[root@server ~]# tail -1000 /var/log/audit/audit.log |audit2allow -m lighttpd >lighttpd.te
[root@server ~]# cat lighttpd.te
 
module lighttpd 1.0;
 
require {
  type httpd_t;
  type samba_share_t;
  class dir { read getattr search };
  class file { write read getattr lock };
  class lnk_file { write read getattr lock };
}
 
#============= httpd_t ==============
allow httpd_t samba_share_t:dir {read getattr search};
allow httpd_t samba_share_t:lnk_file {read};
allow httpd_t samba_share_t:file {getattr};
[root@server ~]#


Next I create the module with check_module and package it with semodule_package
[root@server ~]# checkmodule -M -m -o lighttpd.mod lighttpd.te
checkmodule:  loading policy configuration from lighttpd.te
checkmodule:  policy configuration loaded
checkmodule:  writing binary representation (version 6) to lighttpd.mod
[root@server ~]# semodule_package -o lighttpd.pp -m lighttpd.mod
[root@server ~]# semodule -i lighttpd.pp
If your module doesn’t fix the problem after that, turn off the noaudit module and try to access the content again.
[root@server ~] semodule -b /usr/share/selinux/targeted/enableaudit.pp
After you have found all the allows you need, you can enable the default policy again with this
[root@server ~] semodule -b /usr/share/selinux/targeted/base.pp


This entry was posted on Friday, July 24th, 2009 at 07:25 and is filed under Linux. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.