CentOS - Jun 2011 - How to set selinux policy "allow httpd_t unconfined_t:shm { unix_read unix_write }; " using an seboolean? (How to get a new seboolean?)

Hi.  I'm trying to get OTRS running on CentOS 5.5 with SELinux enabled,
and audit.log / audit2allow tell me I need to add the local policy:


#============= httpd_t =============allow httpd_t unconfined_t:shm { unix_read
unix_write };

which I think will allow the httpd access to read and write from shared memory?
Is that right?  What are the risks involved in opening this?  I notice it is
denied by the default policy.

To simplify configuration management, I would prefer to make this setting
using /usr/sbin/setseebool, but I don't see an sebool that deals with shm...

How do I request one?  (And whom do I ask?)

Thanks,
-at

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 06/02/2011 07:47 PM, Aleksey Tsalolikhin wrote:
> Hi.  I'm trying to get OTRS running on CentOS 5.5 with SELinux enabled,
> and audit.log / audit2allow tell me I need to add the local policy:
> 
> 
> #============= httpd_t =============> allow httpd_t unconfined_t:shm {
unix_read unix_write };
> 
> which I think will allow the httpd access to read and write from shared
memory?
> Is that right?  What are the risks involved in opening this?  I notice it
is
> denied by the default policy.
> 
> To simplify configuration management, I would prefer to make this setting
> using /usr/sbin/setseebool, but I don't see an sebool that deals with
shm...
> 
> How do I request one?  (And whom do I ask?)
> 
> Thanks,
> -at
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
Not sure what OTRS is but it looks like you are running it as a user?
(unconfined_t), Does this usually run as a service started at boot time?


Allowing this would just mean apache is able to read/write logged in
users shared memory.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk3pKtYACgkQrlYvE4MpobOOIwCgs9KG+PxXUg3UealcfO+C4kYZ
wMMAn2oLpKPBQUjQpvTam3J5M0jL+g2P
=+sPH
-----END PGP SIGNATURE-----

Hi Aleksey,


On 06/03/2011 01:47 AM, Aleksey Tsalolikhin wrote:
> Hi.  I'm trying to get OTRS running on CentOS 5.5 with SELinux enabled,
> and audit.log / audit2allow tell me I need to add the local policy:
>
>
> #============= httpd_t =============> allow httpd_t unconfined_t:shm {
unix_read unix_write };
>
> which I think will allow the httpd access to read and write from shared
memory?
> Is that right?  What are the risks involved in opening this?  I notice it
is
> denied by the default policy.
>
> To simplify configuration management, I would prefer to make this setting
> using /usr/sbin/setseebool, but I don't see an sebool that deals with
shm...
>
> How do I request one?  (And whom do I ask?)
Since nobody has come up with a policy for eons I guess there is little 
incentive to provide one. When you go through the OTRS website it 
basically only says "turn off selinux" (which imho is pretty silly).

There was one person that tried to create a policy:
http://lists.otrs.org/pipermail/dev/2005-September/001109.html

The #selinux channel on irc.freenode.net has always been helpful and 
patient even with my n00b questions. If you have all the info from the 
audit log then I would venture in there, put the audit log on a pastebin 
and ask how to proceed next.

If you create a proper policy I would appreciate it if you could keep 
this list updated. From what I have read OTRS seems a nice solution but 
not when I have to turn off selinux.

Regards,
Patrick