squirrelmail + vacation_local SUID + selinux nechodi
Ing. Zdenek Havranek, HAF
linux na sea-cv.cz
Čtvrtek Listopad 9 08:41:09 CET 2006
Zdravím.
prokousal jsem se skrz nejake SELinux FAQ pro Fedora Core 5 a porad mi to nejde rozebehnout.
> libsepol.check_assertion_helper: assertion on line 0 violated by allow httpd_sys_script_t shadow_t:file { read };
Zatim jsem vyzkousel:
cd /usr/share/selinux/devel
audit2allow -m local -l -i /var/log/messages > local2.te
> module local 1.0;
> require {
> class file { execute execute_no_trans read };
> type httpd_sys_script_t;
> type httpd_t;
> type shadow_t;
> type usr_t;
> role system_r;
> };
> allow httpd_sys_script_t httpd_t:file read;
> allow httpd_sys_script_t shadow_t:file read;
> allow httpd_sys_script_t usr_t:file { execute execute_no_trans };
checkmodule -M -m -o local2.mod local2.te
> checkmodule: loading policy configuration from local2.te
> checkmodule: policy configuration loaded
> checkmodule: writing binary representation (version 6) to local2.mod
semodule_package -o local2.pp -m local2.mod
semodule -i local2.pp
> libsepol.check_assertion_helper: assertion on line 0 violated by allow httpd_sys_script_t shadow_t:file { read };
> libsepol.check_assertions: 1 assertion violations occured
> libsemanage.semanage_expand_sandbox: Expand module failed
> semodule: Failed!
V squirrelmail_vacation_proxy.c je blokovano:
if ((spw=getspnam(puid))==NULL)
{
printf("Invalid user\n ");
exit(1);
}
balicek: squirrelmail-1.4.8-1.fc5
plugin: Vacation Local http://www.squirrelmail.org/plugin_view.php?id=51
mnohem radsi bych SUID nez FTP
--
S pozdravem
Ing. Zdeněk Havránek, HAF mailto:havranek na sea-cv.cz
Vedoucí střediska automatizace ICQ: 120061364
SEA - Chomutov, s.r.o.
Veškeré činnosti v oboru strojírenství, elektrotechniky a automatizace
mailto:sea na sea-cv.cz, http://www.sea-cv.cz/
Tel/fax: +420-474624048, +420-474625108, Mobil: +420-777717303
Vikové-Kunětické 1935, 430 01 Chomutov, Czech Republic, DIČ: CZ25048627
Další informace o konferenci Linux