Re: About audit2allow generated rules

[Russell Coker <russell@coker.com.au>]

On Thu, 26 Apr 2012, Min Wang <ser.basis@gmail.com> wrote:
>       I have something in /var/log/audit/audit.log like:
> 
> avc:  denied  { write } for  pid=23739 comm="httpd" name="renderd.sock"
>    dev=dm-0 ino=1183752 scontext=unconfined_u:system_r:httpd_t:s0
>    tcontext=unconfined_u:object_r:var_run_t:s0 tclass=sock_file
> 
> 
> use audit2allow it generates something like this:
> 
> allow httpd_t var_run_t:sock_file write;
> 
> 
> Is the rule too liberal? that means httpd_t can write any var_run_t 's
> sock_file?
> Or I miss-understand something?

Ideally there should be no sock_file objects with type var_run_t, every Unix 
domain socket should have a type which is derived from the domain of the 
process which creates it.  So having one such socket is an indication of your 
configuration not being ideal.  If you only have one daemon with policy that 
allows such sockets then it's probably not a big deal to grant access to 
httpd_t.

Think of var_run_t being similar to the nobody UID in this case.  Having 
exactly one daemon running as nobody theoretically isn't a security problem, 
but having two daemons running with that UID probably is.  The problem is that 
people tend not to stop at one, if they have one daemon running in that manner 
then they may end up with two (through a repeat of the same choices) - so it's 
best to stick with zero!

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/