Agenda announced for Inaugural SELinux Symposium
by Frank Mayer
The speakers and agenda for the inaugural SELinux Symposium have been announced,
and early registration is now open. See www.selinux-symposium.org. We received
a lot of good proposals on a variety of related topics. It looks good. Thanks
to all the reviewers for your help in vetting the agenda.
Frank
19 years, 5 months
HTTP (php) can't connect to local postgresql
by Gorosito Ricardo
First at all: I'm using targeted policy and
When my web application (using php) try to connect to postgresql
database I get:
*Warning*: pg_connect(): Unable to connect to PostgreSQL server: could
not connect to server: 8���|
Is the server running locally and accepting
connections on Unix domain socket "/tmp/.s.PGSQL.5432"? in
*/var/www/html/encuesta/index.php* on line *7
*In dmesg I see:
audit(1100638278.903:0): avc: denied { connectto } for pid=2481
exe=/usr/sbin/httpd path=/tmp/.s.PGSQL.5432
scontext=user_u:system_r:httpd_t tcontext=user_u:system_r:unconfined_t
tclass=unix_stream_socke
and ls -laZ /tmp/s.PGSQL.5432 show:
srwxrwxrwx postgres postgres user_u:object_r:tmp_t /tmp/.s.PGSQL.5432
What can I do?
What if I append line "can_unix_connect(httpd_php_t, unconfined_t)" in
/etc/selinux/targeted/src/policy/domains/program/apache.te ? (What if I
don't want that 'httpd' can connect to other socks?).
Thanks in advance and excuse my english.
Ricardo.-
19 years, 5 months
Where is fixfiles.cron?
by Yuichi Nakamura
We found that in FedoraCore3 fixfiles.cron is removed after yum update.
It seems that there is no fixfiles.cron in the latest policycoreutils.
Why is it removed?
I think fixfiles.cron is necessary to maintain security.
---
Yuichi Nakamura
Japan SELinux Users Group(JSELUG)
http://www.selinux.gr.jp/
19 years, 5 months
PHP cannot connect to mysql server
by dragoran
I am running FC3 with selinux on targeted policy. When PHP tryies to
connect to the mysql server i get this messages in dmesg:
sbin/httpd name=mysql.sock dev=hda3 ino=309535
scontext=user_u:system_r:httpd_t tcontext=user_u:object_r:var_lib_t
tclass=sock_file
Disabling SELinux for Apache fix this, but I want to run httpd with selinux.
So how can i fix this?
19 years, 5 months
Non-root listening at port < 1024
by Troels Arvin
Hello,
I'm new to selinux, and I haven't read all documentation yet.
Still, can't help asking:
Does selinux make it possible to run a non-root program and let that
program bind to a port < 1024? (Something which I've long missed in Linux.)
--
Greetings from Troels Arvin, Copenhagen, Denmark
19 years, 5 months
Problem upgrading FC2 -> FC3
by Jouni Viikari
Hi,
I upgraded my FC2 system (which did not have selinux enabled) to FC3.
After the upgrade selinux was not enabled.
First I tried to enable it by using system-config-securitylevel. On
boot I got plenty of error messages on console (nothing showed up in the
system logs). I immediately rebooted again with selinux disadled.
Nest I installed selinux-policy-targeted-sources package and did:
cd /etc/selinux/targeted/src/policy
make
make relabel
Now when I reboot things looks quite ok except:
1) Contrary to http://fedora.redhat.com/docs/selinux-faq-fc3/ pages:
id -Z shows:
root:system_r:unconfined_t
(not root:sysadm_r:sysadm_t)
(After su -)
I tried only to remove and reinstall pam package (system-auth was
changed but there was no system-auth.rpmnew).
This had no influence.
2) ISDN does not start correctly on boot:
First problem was that even without selinux the test in isdn rc-script
failed on:
isdnctrl list all >/dev/null 2>&1
if [ $? = 0 ] ; then
(prints Can't open /dev/isdnctrl or /dev/isdn/isdnctrl: No such file or
directory)
I guess this is udev related problem?
However disabling this test it works without selinux. With selinux I
get on boot:
kernel: audit(1100423485.839:0): avc: denied { create }
for pid=2610 exe=/sbin/MAKEDEV name=isdnctrl
scontext=user_u:system_r:unconfined_t
tcontext=system_u:object_r:tty_device_t tclass=lnk_file
'mgetty ttyI':s do open but do not work.
After boot "service isdn start" works even with selinux (I need to make
it work in boot) and devices operate properly.
3) Now if I try to start "system-config-securitylevel" *with selinux
enabled* I just get:
Traceback (most recent call last):
File "/usr/share/system-config-securitylevel/system-config-
securitylevel.py", line 18, in ?
app.stand_alone()
File "/usr/share/system-config-securitylevel/securitylevel.py", line
427, in stand_alone
self.selinuxPage = selinuxPage.selinuxPage()
File "/usr/share/system-config-securitylevel/selinuxPage.py", line
329, in __init__
self.refreshTunables(self.initialtype)
File "/usr/share/system-config-securitylevel/selinuxPage.py", line
427, in refreshTunables
self.loadBooleans()
File "/usr/share/system-config-securitylevel/selinuxPage.py", line
418, in loadBooleans
on=rec[3]=="1"
IndexError: list index out of range
Never have I seen there a way to make httpd work without selinux. When
running box with selinux disabled I see only named (rndc option) and
get... option on screen).
4) Most of my web pages do not work (most of these are PHP based
pages):
Nov 14 11:20:53 srv kernel: audit(1100424053.389:0): avc: denied
{ execute } for pid=4416 exe=/usr/sbin/httpd name=rrdcgi dev=dm-0
ino=3542815 scontext=user_u:system_r:httpd_t
tcontext=system_u:object_r:usr_t tclass=file
Nov 14 11:20:59 srv kernel: audit(1100424059.745:0): avc: denied
{ getattr } for pid=4415 exe=/usr/sbin/httpd path=/opt/bb/bb1.9e-
btf/www/bb.html dev=dm-0
ino=1491992 scontext=user_u:system_r:httpd_t
tcontext=system_u:object_r:file_t tclass=file
Nov 14 11:20:59 srv kernel: audit(1100424059.745:0): avc: denied
{ getattr } for pid=4415 exe=/usr/sbin/httpd path=/opt/bb/bb1.9e-
btf/www/bb.html dev=dm-0
ino=1491992 scontext=user_u:system_r:httpd_t
tcontext=system_u:object_r:file_t tclass=file
Nov 14 11:21:50 srv kernel: audit(1100424110.999:0): avc: denied
{ write } for pid=4415 exe=/usr/sbin/httpd name=mysql.sock dev=dm-0
ino=3932284 scontext=user_u:system_r:httpd_t
tcontext=user_u:object_r:var_lib_t tclass=sock_file
Nov 14 11:21:52 srv kernel: audit(1100424112.001:0): avc: denied
{ write } for pid=4415 exe=/usr/sbin/httpd name=mysql.sock dev=dm-0
ino=3932284 scontext=user_u:system_r:httpd_t
tcontext=user_u:object_r:var_lib_t tclass=sock_file
Nov 14 11:21:53 srv kernel: audit(1100424113.003:0): avc: denied
{ write } for pid=4415 exe=/usr/sbin/httpd name=mysql.sock dev=dm-0
ino=3932284 scontext=user_u:system_r:httpd_t
tcontext=user_u:object_r:var_lib_t tclass=sock_file
Nov 14 11:21:54 srv kernel: audit(1100424114.004:0): avc: denied
{ write } for pid=4415 exe=/usr/sbin/httpd name=mysql.sock dev=dm-0
ino=3932284 scontext=user_u:system_r:httpd_t
tcontext=user_u:object_r:var_lib_t tclass=sock_file
Nov 14 11:22:09 srv kernel: audit(1100424129.740:0): avc: denied
{ read } for pid=4421 exe=/usr/sbin/httpd name=sh dev=dm-0 ino=3443116
scontext=user_u:system_r:httpd_t tcontext=system_u:object_r:bin_t
tclass=lnk_file
Nov 14 11:22:09 srv kernel: audit(1100424129.741:0): avc: denied
{ read } for pid=4422 exe=/usr/sbin/httpd name=sh dev=dm-0 ino=3443116
scontext=user_u:system_r:httpd_t tcontext=system_u:object_r:bin_t
tclass=lnk_file
Nov 14 11:22:13 srv kernel: audit(1100424133.029:0): avc: denied
{ execute } for pid=4423 exe=/usr/sbin/httpd name=rrdcgi dev=dm-0
ino=3542815 scontext=user_u:system_r:httpd_t
tcontext=system_u:object_r:usr_t tclass=file
I wonder how could I make these work without opening selinux too much?
What is the best way to upgrade selinux to same state where it would be
after fresh install of FC3 (Reinstalling my server is unfortunately no
option)? This would also be good material for the FAQ pages.
Tia,
Jouni
19 years, 5 months
Making content readable by httpd
by Ian Pilcher
I am trying to get Netjuke (http://www.netjuke.org/) working on FC3 with
SELinux enabled. Netjuke is a PHP-based "jukebox" application, and I
use it to stream Ogg Vorbis music files around my house. The music
files live on several separate reiserfs filesystems, which have no
security contexts at all. (These filesystems are mounted under /mnt and
symlinked into the /var/www/html tree, if it makes any difference.)
I've read through the FC3 SELinux FAQ and the man pages for setfiles,
fixfiles, and restorecon, and I've even tried playing with the options
that look nondestructive, but none the tools find anything wrong with
the current setup. What do I need to do to make these files readable
by the httpd server?
Thanks!
--
========================================================================
Ian Pilcher i.pilcher(a)comcast.net
========================================================================
19 years, 5 months
SELinux, httpd and TWiki in FC3
by Jared W. Robinson
Here's my notes on getting Apache & TWiki to run under SELinux. Basically, I think most people will want to turn SELinux off for apache, but it's not easy without turning it off for the other targeted services too.
First, I wanted to disable SELinux for just Apache, which is supposed to be possible. I ran "system-config-securitylevel", selected the "SELinux" tab, and opened the
"transition" list, and selected "Disable Selinux protection for httpd daemon",
, clicked "ok", then restarted httpd. Unfortunately, this didn't work.
Second, I stopped enforcing SELinux policy, and noticed that TWiki ran just fine. I'd recommend that people get their cgi scripts running correctly without SELinux before trying to troubleshoot further.
Third, I started enforcing SELinux policy again, and I made sure I set the types appropriately for the cgi scripts and for the files the scripts read/write to using
chcon -t httpd_user_script_exec_t <cgi_scripts>
chcon -t httpd_sys_content_t <content files and directories>
I also used "system-config-securitylevel" and enabled some of the options for Apache -- the unification of types to httpd_sys_content_t, allowing of cgi scripts.
Fourth, I watched /var/log/messages for "avc: denied" messages, and used audit2allow to generate rules:
$ cd /etc/selinux/targeted/src/policy
$ audit2allow -d -l -o domains/misc/local.te
$ vi domains/misc/local.te
$ make reload
$ service httpd restart
And I repeated this process several times, merging the appropriate new rules from audit2allow into my original local.te file.
Here's my local.te file that seems to work so far:
allow httpd_sys_script_t sysctl_kernel_t:dir { search };
allow httpd_sys_script_t sysctl_kernel_t:file { read };
allow httpd_sys_script_t sysctl_t:dir { search };
allow httpd_sys_script_t tmp_t:lnk_file { read };
allow httpd_sys_script_t httpd_sys_content_t:dir { read };
allow httpd_sys_script_t httpd_sys_content_t:file { append };
allow httpd_sys_script_t httpd_sys_content_t:dir { write };
allow httpd_sys_script_t httpd_sys_content_t:file { write };
allow httpd_sys_script_t httpd_sys_content_t:dir { add_name };
allow httpd_sys_script_t httpd_sys_content_t:file { create };
allow httpd_sys_script_t httpd_sys_content_t:file { setattr };
allow httpd_sys_script_t httpd_sys_content_t:dir { remove_name };
allow httpd_sys_script_t httpd_sys_content_t:file { rename };
allow httpd_sys_script_t httpd_sys_content_t:file { unlink };
I found the following presentation to be quite helpful:
http://web.verbum.org/selinux/linuxfest/img0.html
http://web.verbum.org/selinux/linuxfest/text21.html (good slide)
And this was also helpful:
http://people.redhat.com/walters/selinux-apache-en/index.html
In the end, I'm glad that turning of the targeted policy for httpd didn't work (using system-config-securitylevel). It forced me to learn more about SELinux (although I feel like I'm just beginning), and hopefully, my server is more secure than before.
- Jared
19 years, 5 months
