10:18 a.m.
Dear Daniel and all,
I am trying to enable upload for all my virtual hosts placed in /var/www .
The goal is to allow users upload their content via ftp/sftp/scp .
First I tried vsftpd as a basis for upload, but got problem:
httpd_sys_content_t is needed by apache and user_home_t is needed by
chrooted vsftpd access. Togeter httpd_sys_content_t and user_home_t
probably might be combined by editing SELinux targeted polices, but
i'd better deny to do it myself.
Then I tried scp. The similar problem appeared.
Q: What is the Right Way to organize upload of web content to the
virtual hosts with enabled SELinux?
here I imply that ideology of FC4 and SELinux targeted policy should
probably allow private user to host few virtual hosts with upload
function, but without diving in jungle of policy develoment :-)
Any good links and hints are highly appreciated!
P.S. Please Cc to me, and sorry if missed something in maillist.
--
Valery A.Khamenya
2:12 p.m.
Valery Khamenya wrote:
Dear Daniel and all,
I am trying to enable upload for all my virtual hosts placed in /var/www .
The goal is to allow users upload their content via ftp/sftp/scp .
First I tried vsftpd as a basis for upload, but got problem:
httpd_sys_content_t is needed by apache and user_home_t is needed by
chrooted vsftpd access. Togeter httpd_sys_content_t and user_home_t
probably might be combined by editing SELinux targeted polices, but
i'd better deny to do it myself.
Then I tried scp. The similar problem appeared.
Q: What is the Right Way to organize upload of web content to the
virtual hosts with enabled SELinux?
here I imply that ideology of FC4 and SELinux targeted policy should
probably allow private user to host few virtual hosts with upload
function, but without diving in jungle of policy develoment :-)
Any good links and hints are highly appreciated!
P.S. Please Cc to me, and sorry if missed something in maillist.
--
Valery A.Khamenya
--
fedora-selinux-list mailing list
fedora-selinux-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Try public_content_rw_t?
--
2:56 p.m.
Try public_content_rw_t?
now tried. Nothing works after applying public_content_rw_t now.
Neither ftp, nor scp nor even web.
Let me know please if i could bring some reasonable logs.
Thank you in advance for any further help,
best regards,
Valery.
P.S. below goes the ...
# getsebool -a
NetworkManager_disable_trans --> inactive
allow_execmem --> active
allow_execmod --> active
allow_execstack --> active
allow_ftpd_anon_write --> inactive
allow_gssd_read_tmp --> active
allow_httpd_anon_write --> inactive
allow_httpd_sys_script_anon_write --> inactive
allow_kerberos --> active
allow_rsync_anon_write --> inactive
allow_saslauthd_read_shadow --> inactive
allow_smbd_anon_write --> inactive
allow_write_xshm --> inactive
allow_ypbind --> inactive
apmd_disable_trans --> inactive
arpwatch_disable_trans --> inactive
auditd_disable_trans --> inactive
bluetooth_disable_trans --> inactive
canna_disable_trans --> inactive
cardmgr_disable_trans --> inactive
comsat_disable_trans --> inactive
cupsd_config_disable_trans --> inactive
cupsd_disable_trans --> inactive
cupsd_lpd_disable_trans --> inactive
cvs_disable_trans --> inactive
cyrus_disable_trans --> inactive
dbskkd_disable_trans --> inactive
dhcpc_disable_trans --> inactive
dhcpd_disable_trans --> inactive
dovecot_disable_trans --> inactive
fingerd_disable_trans --> inactive
ftp_home_dir --> active
ftpd_disable_trans --> active
ftpd_is_daemon --> active
gssd_disable_trans --> inactive
hald_disable_trans --> inactive
hotplug_disable_trans --> inactive
howl_disable_trans --> inactive
hplip_disable_trans --> inactive
httpd_builtin_scripting --> active
httpd_can_network_connect --> inactive
httpd_disable_trans --> inactive
httpd_enable_cgi --> active
httpd_enable_homedirs --> active
httpd_ssi_exec --> active
httpd_suexec_disable_trans --> inactive
httpd_tty_comm --> inactive
httpd_unified --> active
inetd_child_disable_trans --> inactive
inetd_disable_trans --> inactive
innd_disable_trans --> inactive
kadmind_disable_trans --> inactive
klogd_disable_trans --> inactive
krb5kdc_disable_trans --> inactive
ktalkd_disable_trans --> inactive
lpd_disable_trans --> inactive
mysqld_disable_trans --> inactive
named_disable_trans --> inactive
named_write_master_zones --> inactive
nfs_export_all_ro --> active
nfs_export_all_rw --> active
nfsd_disable_trans --> inactive
nmbd_disable_trans --> inactive
nscd_disable_trans --> inactive
ntpd_disable_trans --> inactive
pegasus_disable_trans --> inactive
portmap_disable_trans --> inactive
postgresql_disable_trans --> inactive
pppd_can_insmod --> inactive
pppd_disable_trans --> inactive
pppd_for_user --> inactive
pptp_disable_trans --> inactive
privoxy_disable_trans --> inactive
ptal_disable_trans --> inactive
radiusd_disable_trans --> inactive
radvd_disable_trans --> inactive
read_default_t --> active
rlogind_disable_trans --> inactive
rpcd_disable_trans --> inactive
rsync_disable_trans --> inactive
samba_enable_home_dirs --> inactive
saslauthd_disable_trans --> inactive
slapd_disable_trans --> inactive
smbd_disable_trans --> inactive
snmpd_disable_trans --> inactive
squid_connect_any --> inactive
squid_disable_trans --> inactive
stunnel_disable_trans --> inactive
stunnel_is_daemon --> inactive
syslogd_disable_trans --> inactive
system_dbusd_disable_trans --> inactive
telnetd_disable_trans --> inactive
tftpd_disable_trans --> active
udev_disable_trans --> inactive
use_nfs_home_dirs --> inactive
use_samba_home_dirs --> inactive
uucpd_disable_trans --> inactive
winbind_disable_trans --> inactive
ypbind_disable_trans --> inactive
ypserv_disable_trans --> inactive
zebra_disable_trans --> inactive
--
Valery A.Khamenya
3:30 p.m.
Valery Khamenya wrote:
> Try public_content_rw_t?
>
now tried. Nothing works after applying public_content_rw_t now.
Neither ftp, nor scp nor even web.
you need to turn on the correct booleans to allow it to work.
setsebool -P allow_ftpd_anon_write=1
Let me know please if i could bring some reasonable logs.
Thank you in advance for any further help,
best regards,
Valery.
P.S. below goes the ...
# getsebool -a
NetworkManager_disable_trans --> inactive
allow_execmem --> active
allow_execmod --> active
allow_execstack --> active
allow_ftpd_anon_write --> inactive
allow_gssd_read_tmp --> active
allow_httpd_anon_write --> inactive
allow_httpd_sys_script_anon_write --> inactive
allow_kerberos --> active
allow_rsync_anon_write --> inactive
allow_saslauthd_read_shadow --> inactive
allow_smbd_anon_write --> inactive
allow_write_xshm --> inactive
allow_ypbind --> inactive
apmd_disable_trans --> inactive
arpwatch_disable_trans --> inactive
auditd_disable_trans --> inactive
bluetooth_disable_trans --> inactive
canna_disable_trans --> inactive
cardmgr_disable_trans --> inactive
comsat_disable_trans --> inactive
cupsd_config_disable_trans --> inactive
cupsd_disable_trans --> inactive
cupsd_lpd_disable_trans --> inactive
cvs_disable_trans --> inactive
cyrus_disable_trans --> inactive
dbskkd_disable_trans --> inactive
dhcpc_disable_trans --> inactive
dhcpd_disable_trans --> inactive
dovecot_disable_trans --> inactive
fingerd_disable_trans --> inactive
ftp_home_dir --> active
ftpd_disable_trans --> active
ftpd_is_daemon --> active
gssd_disable_trans --> inactive
hald_disable_trans --> inactive
hotplug_disable_trans --> inactive
howl_disable_trans --> inactive
hplip_disable_trans --> inactive
httpd_builtin_scripting --> active
httpd_can_network_connect --> inactive
httpd_disable_trans --> inactive
httpd_enable_cgi --> active
httpd_enable_homedirs --> active
httpd_ssi_exec --> active
httpd_suexec_disable_trans --> inactive
httpd_tty_comm --> inactive
httpd_unified --> active
inetd_child_disable_trans --> inactive
inetd_disable_trans --> inactive
innd_disable_trans --> inactive
kadmind_disable_trans --> inactive
klogd_disable_trans --> inactive
krb5kdc_disable_trans --> inactive
ktalkd_disable_trans --> inactive
lpd_disable_trans --> inactive
mysqld_disable_trans --> inactive
named_disable_trans --> inactive
named_write_master_zones --> inactive
nfs_export_all_ro --> active
nfs_export_all_rw --> active
nfsd_disable_trans --> inactive
nmbd_disable_trans --> inactive
nscd_disable_trans --> inactive
ntpd_disable_trans --> inactive
pegasus_disable_trans --> inactive
portmap_disable_trans --> inactive
postgresql_disable_trans --> inactive
pppd_can_insmod --> inactive
pppd_disable_trans --> inactive
pppd_for_user --> inactive
pptp_disable_trans --> inactive
privoxy_disable_trans --> inactive
ptal_disable_trans --> inactive
radiusd_disable_trans --> inactive
radvd_disable_trans --> inactive
read_default_t --> active
rlogind_disable_trans --> inactive
rpcd_disable_trans --> inactive
rsync_disable_trans --> inactive
samba_enable_home_dirs --> inactive
saslauthd_disable_trans --> inactive
slapd_disable_trans --> inactive
smbd_disable_trans --> inactive
snmpd_disable_trans --> inactive
squid_connect_any --> inactive
squid_disable_trans --> inactive
stunnel_disable_trans --> inactive
stunnel_is_daemon --> inactive
syslogd_disable_trans --> inactive
system_dbusd_disable_trans --> inactive
telnetd_disable_trans --> inactive
tftpd_disable_trans --> active
udev_disable_trans --> inactive
use_nfs_home_dirs --> inactive
use_samba_home_dirs --> inactive
uucpd_disable_trans --> inactive
winbind_disable_trans --> inactive
ypbind_disable_trans --> inactive
ypserv_disable_trans --> inactive
zebra_disable_trans --> inactive
--
Valery A.Khamenya
--
4:16 p.m.
you need to turn on the correct booleans to allow it to work.
setsebool -P allow_ftpd_anon_write=1
sounds like anonymous are allowed now by selinux...
First funny thing that access was not annymous, so why it was disabled
before allow_ftpd_anon_write was changed?
Secondly, public_content_rw_t still disallows the apache to access web
pages. And if I bring httpd_sys_content_t back then apache is OK and
vsftpd doesn't work :)
Well, either ftp or apache. But not together now.
--
Valery A.Khamenya
6:51 p.m.
Valery Khamenya wrote:
> you need to turn on the correct booleans to allow it to work.
> setsebool -P allow_ftpd_anon_write=1
>
sounds like anonymous are allowed now by selinux...
First funny thing that access was not annymous, so why it was disabled
before allow_ftpd_anon_write was changed?
Secondly, public_content_rw_t still disallows the apache to access web
pages. And if I bring httpd_sys_content_t back then apache is OK and
vsftpd doesn't work :)
Well, either ftp or apache. But not together now.
--
Valery A.Khamenya
You need to set this boolean for each domain that needs the write
capability. (httpd, rsync, smbd, ftpd)
setsebool -P allow_httpd_anon_write=1
man ftpd_selinux
man httpd_selinux
...
Should describe the usage
--
10:50 p.m.
New subject: Site Customize?
Hi,
I want to customise my site with additional file contexts and rules.
Where is the correct place to create the new files contexts so they are
specific to my site and not erased by future releases? How do I get them
included in the Make?
I assume there is some mechanism like domains/misc/local.te but for contexts
2:02 a.m.
New subject: Site Customize?
On Tue, 2005-10-18 at 11:50 +0800, Jeremy Ardley wrote:
Hi,
I want to customise my site with additional file contexts and rules.
Where is the correct place to create the new files contexts so they are
specific to my site and not erased by future releases? How do I get them
included in the Make?
I assume there is some mechanism like domains/misc/local.te but for contexts
Try file_contexts/misc/local.fc
Paul.
--
Paul Howarth <paul(a)city-fan.org>
7:12 a.m.
New subject: Site Customize?
On Tue, 2005-10-18 at 08:02 +0100, Paul Howarth wrote:
On Tue, 2005-10-18 at 11:50 +0800, Jeremy Ardley wrote:
> Hi,
>
> I want to customise my site with additional file contexts and rules.
>
> Where is the correct place to create the new files contexts so they are
> specific to my site and not erased by future releases? How do I get them
> included in the Make?
>
> I assume there is some mechanism like domains/misc/local.te but for contexts
Try file_contexts/misc/local.fc
That would work as well, but requires the policy sources and rebuilding
the policy. Better to create
a /etc/selinux/$SELINUXTYPE/contexts/files/file_contexts.local file,
which is consulted at runtime by the matchpathcon(3) libselinux function
used by setfiles, restorecon, etc.
And in the future (FC5), you can build your own policy module and module
package and link it into the distro-provided policy without disturbing
the distro-provided policy at all.
--
Stephen Smalley
National Security Agency
7:06 a.m.
New subject: Site Customize?
On Tue, 2005-10-18 at 11:50 +0800, Jeremy Ardley wrote:
Hi,
I want to customise my site with additional file contexts and rules.
Where is the correct place to create the new files contexts so they are
specific to my site and not erased by future releases? How do I get them
included in the Make?
I assume there is some mechanism like domains/misc/local.te but for contexts
/etc/selinux/$SELINUXTYPE/contexts/files/file_contexts.local
where $SELINUXTYPE is defined in your /etc/selinux/config (default is
targeted).
--
Stephen Smalley
National Security Agency
6762
days inactive
6764
days old
selinux@lists.fedoraproject.org
9 comments
5 participants
participants (5)
-
Daniel J Walsh -
Jeremy Ardley -
Paul Howarth -
Stephen Smalley -
Valery Khamenya