headers
Lengyel, Florian | 1 Feb 2006 12:20

RE: Re: SELinux/web2c LaTeX permissions issuesinWikiTeX<amsmath> (Peter Danenberg)


-----Original Message-----
From: wikitex-l-bounces@... on behalf of Peter Danenberg
Sent: Wed 2/1/2006 3:29 AM
To: WikiTeX General
Subject: Re: [Wikitex-l] Re: SELinux/web2c LaTeX permissions issuesinWikiTeX<amsmath> (Peter Danenberg)

> The seemingly inconsistent behavior is that changes that one would
> think should take immediate effect don't.

     Did  you  restart,  by  the way, Florian, after setting
SELINUX=disabled in /etc/selinux/config?

Only a restart of httpd. But I have another server that I could
use for this purpose.

     I've read that  SELINUX=disabled  doesn't  take  effect
immediately,  and that the best way to disable SELinux is to
pass selinux=0 as a kernel parameter for that session.

Ok, thank you. I should find the reference for this. After
a few iterations I suspected this might be happening...

     It would be helpful to ascertain if we're dealing  with
residue SELinux interactions here, or local issues.

Best, Peter

I'll try this and get back to the list.
Florian
(Continue reading)

Permalink | Reply |
headers
Peter Danenberg | 1 Feb 2006 11:50
X-Face

Re: Re: SELinux/web2c LaTeX permissions issuesinWikiTeX<amsmath> (Peter Danenberg)

> Ok, thank you. I should find the reference for this. After
> a few iterations I suspected this might be happening...

     The  following  describes some additional steps you can
take to disable SELinux without rebooting:

     http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/selinux-guide/rhlcommon-section-0068.html

Best, Peter
Permalink | Reply |
headers
Lengyel, Florian | 1 Feb 2006 15:46

RE: Re: SELinux/web2c LaTeX permissionsissuesinWikiTeX<amsmath> (Peter Danenberg)


What I'd like to do, additionally, is add to the local policy to allow WikiTeX under SELinux.
Some WikiTeX users might be interested (Michael Carlisle and myself, for example).

SELinux is mediating between apache and tetex:

Jan 24 18:44:35 cml kernel: audit(1138146275.817:0): avc:  denied  { getattr } for  pid=17200 exe=/usr/bin/tex path=/var/lib/texmf dev=sda7 ino=65826 scontext=root:system_r:httpd_sys_script_t tcontext=system_u:object_r:tetex_data_t tclass=dir
Jan 24 18:44:35 cml kernel: audit(1138146275.828:0): avc:  denied  { read }for  pid=17200 exe=/usr/bin/tex name=latex.fmt dev=sda3 ino=2697739 scontext=root:system_r:httpd_sys_script_t tcontext=root:object_r:tmp_t tclass=file
Jan 24 18:44:35 cml kernel: audit(1138146275.828:0): avc:  denied  { read }for  pid=17200 exe=/usr/bin/tex name=latex.fmt dev=sda3 ino=2697739 scontext=root:system_r:httpd_sys_script_t tcontext=root:object_r:tmp_t tclass=file
Jan 24 18:44:35 cml kernel: audit(1138146275.843:0): avc:  denied  { getattr } for  pid=17207 exe=/usr/bin/kpsewhich path=/var/lib/texmf dev=sda7 ino=65826 scontext=root:system_r:httpd_sys_script_t tcontext=system_u:object_r:tetex_data_t tclass=dir
Jan 24 18:44:35 cml kernel: audit(1138146275.857:0): avc:  denied  { getattr } for  pid=17209 exe=/usr/bin/kpsewhich path=/var/lib/texmf dev=sda7 ino=65826 scontext=root:system_r:httpd_sys_script_t tcontext=system_u:object_r:tetex_data_t tclass=dir
Jan 24 18:44:35 cml kernel: audit(1138146275.871:0): avc:  denied  { getattr } for  pid=17210 exe=/usr/bin/kpsewhich path=/var/lib/texmf dev=sda7 ino=65826 scontext=root:system_r:httpd_sys_script_t tcontext=system_u:object_r:tetex_data_t tclass=dir
Jan 24 18:44:35 cml kernel: audit(1138146275.886:0): avc:  denied  { getattr } for  pid=17211 exe=/usr/bin/kpsewhich path=/var/lib/texmf dev=sda7 ino=65826 scontext=root:system_r:httpd_sys_script_t tcontext=system_u:object_r:tetex_data_t tclass=dir
Jan 24 18:44:35 cml kernel: audit(1138146275.901:0): avc:  denied  { getattr } for  pid=17212 exe=/usr/bin/kpsewhich path=/var/lib/texmf dev=sda7 ino=65826 scontext=root:system_r:httpd_sys_script_t tcontext=system_u:object_r:tetex_data_t tclass=dir
Jan 24 18:44:35 cml kernel: audit(1138146275.916:0): avc:  denied  { getattr } for  pid=17213 exe=/usr/bin/kpsewhich path=/var/lib/texmf dev=sda7 ino=65826 scontext=root:system_r:httpd_sys_script_t tcontext=system_u:object_r:tetex_data_t tclass=dir
Jan 24 18:44:35 cml kernel: audit(1138146275.932:0): avc:  denied  { getattr } for  pid=17214 exe=/usr/bin/kpsewhich path=/var/lib/texmf dev=sda7 ino=65826 scontext=root:system_r:httpd_sys_script_t tcontext=system_u:object_r:tetex_data_t tclass=dir
Jan 24 18:44:35 cml kernel: audit(1138146275.947:0): avc:  denied  { getattr } for  pid=17215 exe=/usr/bin/kpsewhich path=/var/lib/texmf dev=sda7 ino=65826 scontext=root:system_r:httpd_sys_script_t tcontext=system_u:object_r:tetex_data_t tclass=dir
Jan 24 18:44:35 cml kernel: audit(1138146275.962:0): avc:  denied  { getattr } for  pid=17216 exe=/usr/bin/kpsewhich path=/var/lib/texmf dev=sda7 ino=65826 scontext=root:system_r:httpd_sys_script_t tcontext=system_u:object_r:tetex_data_t tclass=dir
Jan 24 18:44:35 cml kernel: audit(1138146275.978:0): avc:  denied  { getattr } for  pid=17217 exe=/usr/bin/kpsewhich path=/var/lib/texmf dev=sda7 ino=65826 scontext=root:system_r:httpd_sys_script_t tcontext=system_u:object_r:tetex_data_t tclass=dir
Jan 24 18:44:35 cml kernel: audit(1138146275.992:0): avc:  denied  { getattr } for  pid=17218 exe=/usr/bin/kpsewhich path=/var/lib/texmf dev=sda7 ino=65826 scontext=root:system_r:httpd_sys_script_t tcontext=system_u:object_r:tetex_data_t tclass=dir
Jan 24 18:44:36 cml kernel: audit(1138146276.007:0): avc:  denied  { getattr } for  pid=17219 exe=/usr/bin/kpsewhich path=/var/lib/texmf dev=sda7 ino=65826 scontext=root:system_r:httpd_sys_script_t tcontext=system_u:object_r:tetex_data_t tclass=dir
Jan 24 18:44:36 cml kernel: audit(1138146276.027:0): avc:  denied  { getattr } for  pid=17226 exe=/usr/bin/kpsewhich path=/var/lib/texmf dev=sda7 ino=65826 scontext=root:system_r:httpd_sys_script_t tcontext=system_u:object_r:tetex_data_t tclass=dir
Jan 24 18:44:36 cml kernel: audit(1138146276.045:0): avc:  denied  { getattr } for  pid=17230 exe=/usr/bin/tex path=/var/lib/texmf dev=sda7 ino=65826 scontext=root:system_r:httpd_sys_script_t tcontext=system_u:object_r:tetex_data_t tclass=dir
Jan 24 18:44:36 cml kernel: audit(1138146276.147:0): avc:  denied  { getattr } for  pid=17233 exe=/bin/mv path=/usr/share/texmf/web2c/latex.log dev=sda3 ino=2697772 scontext=root:system_r:httpd_sys_script_t tcontext=root:object_r:tmp_t tclass=file
Jan 24 18:44:36 cml kernel: audit(1138146276.147:0): avc:  denied  { getattr } for  pid=17233 exe=/bin/mv path=/usr/share/texmf/web2c/latex.log dev=sda3 ino=2697772 scontext=root:system_r:httpd_sys_script_t tcontext=root:object_r:tmp_t tclass=file
Jan 24 18:44:36 cml kernel: audit(1138146276.150:0): avc:  denied  { getattr } for  pid=17235 exe=/bin/mv path=/usr/share/texmf/web2c/latex.fmt dev=sda3 ino=2697739 scontext=root:system_r:httpd_sys_script_t tcontext=root:object_r:tmp_t tclass=file
Jan 24 18:44:36 cml kernel: audit(1138146276.150:0): avc:  denied  { getattr } for  pid=17235 exe=/bin/mv path=/usr/share/texmf/web2c/latex.fmt dev=sda3 ino=2697739 scontext=root:system_r:httpd_sys_script_t tcontext=root:object_r:tmp_t tclass=file
Jan 24 18:44:36 cml kernel: audit(1138146276.156:0): avc:  denied  { getattr } for  pid=17236 exe=/bin/bash path=/usr/share/texmf/web2c/latex.fmt dev=sda3 ino=2697739 scontext=root:system_r:httpd_sys_script_t tcontext=root:object_r:tmp_t tclass=file
Jan 24 18:44:36 cml kernel: audit(1138146276.158:0): avc:  denied  { getattr } for  pid=17201 exe=/bin/bash path=/usr/share/texmf/web2c/tex.fmt dev=sda3 ino=2697735 scontext=root:system_r:httpd_sys_script_t tcontext=root:object_r:tmp_t tclass=file
Jan 24 18:44:36 cml kernel: audit(1138146276.158:0): avc:  denied  { getattr } for  pid=17201 exe=/bin/bash path=/usr/share/texmf/web2c/mf.base dev=sda3 ino=2697296 scontext=root:system_r:httpd_sys_script_t tcontext=root:object_r:tmp_t tclass=file
Jan 24 18:44:36 cml last message repeated 2 times
Jan 24 18:44:36 cml kernel: audit(1138146276.158:0): avc:  denied  { getattr } for  pid=17201 exe=/bin/bash path=/usr/share/texmf/web2c/mpost.mem dev=sda3 ino=2697717 scontext=root:system_r:httpd_sys_script_t tcontext=root:object_r:tmp_t tclass=file

audit2allow suggests adding two rules to the security profile, the second of which would
violate the principle of least privilege:

allow httpd_sys_script_t tetex_data_t:dir getattr;
allow httpd_sys_script_t tmp_t:file { getattr read };

It would be worth modifying the local security policy for WikiTeX.

Florian

-----Original Message-----
From: wikitex-l-bounces-kH2wnL1sK15AfugRpC6u6w@public.gmane.org on behalf of Peter Danenberg
Sent: Wed 2/1/2006 5:50 AM
To: WikiTeX General
Subject: Re: [Wikitex-l] Re: SELinux/web2c LaTeX permissionsissuesinWikiTeX<amsmath> (Peter Danenberg)

> Ok, thank you. I should find the reference for this. After
> a few iterations I suspected this might be happening...


     The  following  describes some additional steps you can
take to disable SELinux without rebooting:

     http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/selinux-guide/rhlcommon-section-0068.html

Best, Peter
_______________________________________________
Wikitex-l mailing list
Wikitex-l-kH2wnL1sK15AfugRpC6u6w@public.gmane.org
http://lists.wikitex.org/listinfo/wikitex-l

_______________________________________________
Wikitex-l mailing list
Wikitex-l@...
http://lists.wikitex.org/listinfo/wikitex-l
Permalink | Reply |

Gmane