Re: Is Wordpress protecting by SELinux?
by Silvan Nagl
I'm using this on my prod system:
/usr/share/nginx/html/wordpress/.*\.php all files system_u:object_r:httpd_sys_script_exec_t:s0
/usr/share/nginx/html/wordpress/wp-content all files system_u:object_r:httpd_sys_rw_content_t:s0
/usr/share/nginx/html/wordpress/wp-content/plugins(/.*)? all files system_u:object_r:httpd_sys_rw_content_t:s0
/usr/share/nginx/html/wordpress/wp-content/themes(/.*)? all files system_u:object_r:httpd_sys_rw_content_t:s0
/usr/share/nginx/html/wordpress/wp-content/upgrade(/.*)? all files system_u:object_r:httpd_sys_rw_content_t:s0
/usr/share/nginx/html/wordpress/wp-content/uploads(/.*)? all files system_u:object_r:httpd_sys_rw_content_t:s0
/usr/share/nginx/html/wordpress/wp-content/wflogs(/.*)? all files system_u:object_r:httpd_sys_rw_content_t:s0
/usr/share/nginx/html/wordpress/wp-includes/.*\.php all files system_u:object_r:httpd_sys_script_exec_t:s0
adapt your paths and add your definitions as follow:
semanage fcontext -a -t httpd_sys_script_exec_t '/usr/share/nginx/html/wordpress/.*\.php' semanage fcontext -a -t httpd_sys_rw_content_t
'/usr/share/nginx/html/wordpress/wp-content/plugins(/.*)?'...
yada yada
than apply your changes by doing
restorecon -RFv '/usr/share/nginx/html/'
check if your context is set probably
ls -laZ /usr/share/nginx/html/wordpress
On 8/31/20 7:01 AM, Roland Müller wrote:
> Yes, I think so. The most important piece in SELinux setup is the type
> which is 'httpd_sys_rw_content_t' which stears the context transitions.
>
> Am So., 30. Aug. 2020 um 18:35 Uhr schrieb Jason Long
> <hack3rcon(a)yahoo.com <mailto:hack3rcon@yahoo.com>>:
>
> Hello,
> Is my WordPress directory protecting by SELinux?
>
> $ ls -lZ /var/www/wordpress/
> total 484
> drwxrwxr-x. 2 apache apache
> unconfined_u:object_r:httpd_sys_rw_content_t:s0
> 6 Oct 30 2019 cgi-bin
>
> -rwxrwxr-x. 1 apache apache
> unconfined_u:object_r:httpd_sys_rw_content_t:s0
> 53 Oct 21 2019 googlee4e6cdb3b56c49dd.html
>
> -rwxrwxr-x. 1 apache apache
> unconfined_u:object_r:httpd_sys_rw_content_t:s0
> 405 Apr 3 22:42 index.php
>
> Thank you.
> _______________________________________________
> selinux mailing list -- selinux(a)lists.fedoraproject.org
> <mailto:selinux@lists.fedoraproject.org>
> To unsubscribe send an email to
> selinux-leave(a)lists.fedoraproject.org
> <mailto:selinux-leave@lists.fedoraproject.org>
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
> https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject...
>
>
> _______________________________________________
> selinux mailing list -- selinux(a)lists.fedoraproject.org
> To unsubscribe send an email to selinux-leave(a)lists.fedoraproject.org
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject...
3 years, 6 months
Is Wordpress protecting by SELinux?
by Jason Long
Hello,Is my WordPress directory protecting by SELinux?
$ ls -lZ /var/www/wordpress/total 484drwxrwxr-x. 2 apache apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 6 Oct 30 2019 cgi-bin
-rwxrwxr-x. 1 apache apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 53 Oct 21 2019 googlee4e6cdb3b56c49dd.html
-rwxrwxr-x. 1 apache apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 405 Apr 3 22:42 index.php
Thank you.
3 years, 6 months
Selinux "staff_u" not allowed to access certain commands such as
"semanage user" and "semanage login" when running sudo
by Daniel Skip
Hello,
It's been about a year since I played with Selinux. I recently created a new selinux login and mapped it to the "staff_u" selinux user. Everything seemed to work normal until I tried running the semanage commands and it denied me access. So for instance I would run "sudo semanage user -l" and I even added the staff role and type to allow it to use sudo but it still ended up not letting me access it. I'm almost certain it never gave me this kind of problem when I ran selinux a year ago.
I ran an ausearch and it gave me a bunch of stuff, so I figured I'd ask here see if anyone know what's with it or if I should even allow these rules. Let me know what you think.
"
require {
type bin_t;
type newrole_t;
type staff_t;
type staff_sudo_t;
type sysadm_sudo_t;
class lnk_file relabelfrom;
class dir search;
class file { open read };
}
fs_getattr_cgroup(newrole_t)
#============= staff_sudo_t ==============
allow staff_sudo_t bin_t:lnk_file relabelfrom;
dev_relabel_sysfs_dirs(staff_sudo_t)
files_list_lost_found(staff_sudo_t)
files_list_var(staff_sudo_t)
files_relabelfrom_boot_files(staff_sudo_t)
fs_read_configfs_dirs(staff_sudo_t)
init_read_state(staff_sudo_t)
#============= sysadm_sudo_t ==============
allow sysadm_sudo_t staff_t:dir search;
allow sysadm_sudo_t staff_t:file { open read };
abrt_stream_connect(sysadm_sudo_t)
cups_read_rw_config(sysadm_sudo_t)
files_list_lost_found(sysadm_sudo_t)
files_list_var(sysadm_sudo_t)
fs_read_configfs_dirs(sysadm_sudo_t)
init_read_state(sysadm_sudo_t)
seutil_get_semanage_read_lock(sysadm_sudo_t)
seutil_manage_module_store(sysadm_sudo_t)
seutil_read_module_store(sysadm_sudo_t)
"
3 years, 6 months
httpd and httpd_sys_content_t
by info@joomladev.eu
Hello,
I have setted httpd_unified boolean to on. And httpd files market as
httpd_sys_content_t. But when i create files by php fpm - files is
created as httpd_sys_rw_content_t. Why is not httpd_sys_content_t if I
have this boolean enabled?
It's on CentOS 8 box fully updated.
Thanks,
Filip Bartmann
3 years, 7 months
Samba hi_reserved_port_t denial
by info@joomladev.eu
On CentOS 8 I have some weird permission denying on samba:
------------------------------------------------------------------------------------
# audit(1597366122.204:23992513):
# scontext="system_u:system_r:smbd_t:s0" tcontext="system_u:object_r:hi_reserved_port_t:s0"
# class="udp_socket" perms="name_bind"
# comm="smbd" exe="" path=""
# message="type=AVC msg=audit(1597366122.204:23992513): avc: denied {
# name_bind } for pid=2210721 comm="smbd" src=1009
# scontext=system_u:system_r:smbd_t:s0
# tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=udp_socket
# permissive=1"
------------------------------------------------------------------------------------
Do I something wrong?
Thanks,
Filip Bartmann
3 years, 7 months
httpd and httpd_sys_content_t
by info@joomladev.eu
Hello,
I have setted httpd_unified boolean to on. And httpd files market as
httpd_sys_content_t. But when i create files by php fpm - files is
created as httpd_sys_rw_content_t. Why is not httpd_sys_content_t if I
have this boolean enabled?
It's on CentOS 8 box fully updated.
Thanks,
Filip Bartmann
3 years, 7 months