weblog d’un abbe


My first SEAchievement

Filed under: Hacking — abbe @ 1249

In Gwalior, I’d installed an eGroupware instance on a Fedora Core 6 box. In the Felamimail module of eGroupware, and I got this error Can't connect to mail.server,143: Permission denied. I checked IMAP server, and found it was running. Then I checked my iptables rules, those were also fine. So, after this I checked my /var/log/audit/audit.log and found following AVC denial message:

type=AVC msg=audit(1172212945.073:194): avc:  denied  { name_connect } for pid=3772 comm="httpd" dest=143
scontext=system_u:system_r:httpd_t:s0 context=system_u:object_r:pop_port_t:s0 tclass=tcp_socket

On passing this message through audit2allow tool, I got following allow rule:

allow httpd_t pop_port_t:tcp_socket name_connect;

So, now to add this rule to the SELinux policy, I downloaded the selinux-policy SRPM, and installed in ~/rpmbuild. Then I modified the ~/rpmbuild/BUILD/serefpolicy-*/policy/modules/services/apache.te to contain my allow rules, and since I added a boolean, I need to add an entry in ~/rpmbuild/BUILD/serefpolicy-*/policy/global_tunables also. So, after changing, I generated a diff of my changes and placed it in ~/rpmbuild/SOURCES. And I since I need to modify the sources at the time of building new RPM, I need to modify my .spec file also, to apply the diff I placed it in SOURCES at the time of preparing sources. So following is the diff which needs to be applied on ~/rpmbuild/SPECS/selinux-policy.spec to generate a new .spec.

--- selinux-policy.spec.old     2007-02-16 22:48:14.000000000 +0530
+++ selinux-policy.spec 2007-02-22 22:53:56.000000000 +0530
@@ -17,11 +17,12 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 2.4.6
-Release: 40%{?dist}
+Release: 41%{?dist}
 License: GPL
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
-patch: policy-20061106.patch
+patch0: policy-20061106.patch
+patch1: policy-20070222.patch
 Source1: modules-targeted.conf
 Source2: booleans-targeted.conf
 Source3: Makefile.devel
@@ -166,7 +167,8 @@

 %setup -q -n serefpolicy-%{version}
-%patch -p1
+%patch0 -p1
+%patch1 -p1

 # Build targeted policy

The file policy-20070222.patch (md5sum: b43fd29ca9d290fdfcb7d045363195d7) needs to be placed in ~/rpmbuild/SOURCES. I’ve used selinux-policy-2.4.6-40.fc6.src.rpm as the reference policy. Anyways, happy SELinuxing :)

1 Comment »

  1. […] SELinux AVC denials due to eGroupware’s phpsysinfo module. So this means I need to revise my previously created SELinux policy for httpd for eGroupware. So I jdownloaded current selinux-policy SRPM using yumdownloader (yumdownloader -e updates-source […]

    Pingback by Hacking first SELinux policy module « _(o)-(o)_/ — 20070505 @ 2148

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Blog at WordPress.com.

%d bloggers like this: