The steps I have taken so far:
Enabled SELinux (Enforcing)
Create a file for the custom SELinux Policy
sudo vi /root/httpd_no_setuid.te
Added the following content:
After saving the file, I attempt to compile and install the SELinux policy module by running:
sudo checkmodule -M -m -o /root/httpd_no_setuid.mod /root/httpd_no_setuid.te
sudo semodule_package -o /root/httpd_no_setuid.pp -m /root/httpd_no_setuid.mod
sudo semodule -i /root/httpd_no_setuid.pp
The first two commands return with no error but the third returns:
Failed to resolve typeattributeset statement at /var/lib/selinux/targeted/tmp/modules/400/httpd_no_setuid/cil:2
Failed to resolve AST
semodule: Failed!
I have not been able to figure out the reason behind this error. Any advice?
Enabled SELinux (Enforcing)
Create a file for the custom SELinux Policy
sudo vi /root/httpd_no_setuid.te
Added the following content:
Code:
module httpd_no_setuid 1.0;
require {
type httpd_t;
type setuid_exec_t;
type setgid_exec_t;
class file { execute execute_no_trans };
}
# Deny access to setuid or setgid files by httpd
neverallow httpd_t setuid_exec_t:file execute_no_trans;
neverallow httpd_t setgid_exec_t:file execute_no_trans;
After saving the file, I attempt to compile and install the SELinux policy module by running:
sudo checkmodule -M -m -o /root/httpd_no_setuid.mod /root/httpd_no_setuid.te
sudo semodule_package -o /root/httpd_no_setuid.pp -m /root/httpd_no_setuid.mod
sudo semodule -i /root/httpd_no_setuid.pp
The first two commands return with no error but the third returns:
Failed to resolve typeattributeset statement at /var/lib/selinux/targeted/tmp/modules/400/httpd_no_setuid/cil:2
Failed to resolve AST
semodule: Failed!
I have not been able to figure out the reason behind this error. Any advice?