On Thu, 26 Apr 2012, Min Wang<ser.basis@gmail.com> wrote:
I have something in /var/log/audit/audit.log like:
avc: denied { write } for pid=23739 comm="httpd" name="renderd.sock"
dev=dm-0 ino=1183752 scontext=unconfined_u:system_r:httpd_t:s0
tcontext=unconfined_u:object_r:var_run_t:s0 tclass=sock_file
use audit2allow it generates something like this:
allow httpd_t var_run_t:sock_file write;
Is the rule too liberal? that means httpd_t can write any var_run_t 's
sock_file?
Or I miss-understand something?
Ideally there should be no sock_file objects with type var_run_t, every Unix
domain socket should have a type which is derived from the domain of the
process which creates it. So having one such socket is an indication of your
configuration not being ideal. If you only have one daemon with policy that
allows such sockets then it's probably not a big deal to grant access to
httpd_t.
Think of var_run_t being similar to the nobody UID in this case. Having
exactly one daemon running as nobody theoretically isn't a security problem,
but having two daemons running with that UID probably is. The problem is that
people tend not to stop at one, if they have one daemon running in that manner
then they may end up with two (through a repeat of the same choices) - so it's
best to stick with zero!