Configuring SELinux permissions on (SVS-V) IPC Semaphores

Question

I have a bunch of programs which use IPC Semaphores to interact (semget).

One of the programs is an Apache module, which runs in (some sort of) restricted SELinux c

Answer 1

SELinux has persmission setting for more than just regular files, but also device and special files.

http://seedit.sourceforge.net/doc/access_vectors/access_vectors.html#SECTION00044000000000000000 is what you're looking for. Give read/write/etc permissions to the "sem" object.

Cheers

Answer 2

The basic steps to get SELinux working with the changes you need are:

1. Enable permissive mode
2. Capture denials
3. Add a new policy module or modify an existing policy module
4. Enable enforcing mode and test

Exactly how to do these steps depends on what Linux distribution you are using; here are references for CentOS, Debian, Gentoo, RedHat and Ubuntu. You can also find SELinux information from NSA. The best documentation I found is from Gentoo: step 1, step 2, step 3, step 4.

As @smassey noted, you most probably need to modify some IPC permission.