Dear Daniel and all,
I am trying to enable upload for all my virtual hosts placed in /var/www .
The goal is to allow users upload their content via ftp/sftp/scp .
First I tried vsftpd as a basis for upload, but got problem: httpd_sys_content_t is needed by apache and user_home_t is needed by chrooted vsftpd access. Togeter httpd_sys_content_t and user_home_t probably might be combined by editing SELinux targeted polices, but i'd better deny to do it myself.
Then I tried scp. The similar problem appeared.
Q: What is the Right Way to organize upload of web content to the virtual hosts with enabled SELinux?
here I imply that ideology of FC4 and SELinux targeted policy should probably allow private user to host few virtual hosts with upload function, but without diving in jungle of policy develoment :-)
Any good links and hints are highly appreciated!
P.S. Please Cc to me, and sorry if missed something in maillist. -- Valery A.Khamenya
Valery Khamenya wrote:
Dear Daniel and all,
I am trying to enable upload for all my virtual hosts placed in /var/www .
The goal is to allow users upload their content via ftp/sftp/scp .
First I tried vsftpd as a basis for upload, but got problem: httpd_sys_content_t is needed by apache and user_home_t is needed by chrooted vsftpd access. Togeter httpd_sys_content_t and user_home_t probably might be combined by editing SELinux targeted polices, but i'd better deny to do it myself.
Then I tried scp. The similar problem appeared.
Q: What is the Right Way to organize upload of web content to the virtual hosts with enabled SELinux?
here I imply that ideology of FC4 and SELinux targeted policy should probably allow private user to host few virtual hosts with upload function, but without diving in jungle of policy develoment :-)
Any good links and hints are highly appreciated!
P.S. Please Cc to me, and sorry if missed something in maillist.
Valery A.Khamenya
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Try public_content_rw_t?
Try public_content_rw_t?
now tried. Nothing works after applying public_content_rw_t now. Neither ftp, nor scp nor even web.
Let me know please if i could bring some reasonable logs.
Thank you in advance for any further help, best regards, Valery.
P.S. below goes the ... # getsebool -a NetworkManager_disable_trans --> inactive allow_execmem --> active allow_execmod --> active allow_execstack --> active allow_ftpd_anon_write --> inactive allow_gssd_read_tmp --> active allow_httpd_anon_write --> inactive allow_httpd_sys_script_anon_write --> inactive allow_kerberos --> active allow_rsync_anon_write --> inactive allow_saslauthd_read_shadow --> inactive allow_smbd_anon_write --> inactive allow_write_xshm --> inactive allow_ypbind --> inactive apmd_disable_trans --> inactive arpwatch_disable_trans --> inactive auditd_disable_trans --> inactive bluetooth_disable_trans --> inactive canna_disable_trans --> inactive cardmgr_disable_trans --> inactive comsat_disable_trans --> inactive cupsd_config_disable_trans --> inactive cupsd_disable_trans --> inactive cupsd_lpd_disable_trans --> inactive cvs_disable_trans --> inactive cyrus_disable_trans --> inactive dbskkd_disable_trans --> inactive dhcpc_disable_trans --> inactive dhcpd_disable_trans --> inactive dovecot_disable_trans --> inactive fingerd_disable_trans --> inactive ftp_home_dir --> active ftpd_disable_trans --> active ftpd_is_daemon --> active gssd_disable_trans --> inactive hald_disable_trans --> inactive hotplug_disable_trans --> inactive howl_disable_trans --> inactive hplip_disable_trans --> inactive httpd_builtin_scripting --> active httpd_can_network_connect --> inactive httpd_disable_trans --> inactive httpd_enable_cgi --> active httpd_enable_homedirs --> active httpd_ssi_exec --> active httpd_suexec_disable_trans --> inactive httpd_tty_comm --> inactive httpd_unified --> active inetd_child_disable_trans --> inactive inetd_disable_trans --> inactive innd_disable_trans --> inactive kadmind_disable_trans --> inactive klogd_disable_trans --> inactive krb5kdc_disable_trans --> inactive ktalkd_disable_trans --> inactive lpd_disable_trans --> inactive mysqld_disable_trans --> inactive named_disable_trans --> inactive named_write_master_zones --> inactive nfs_export_all_ro --> active nfs_export_all_rw --> active nfsd_disable_trans --> inactive nmbd_disable_trans --> inactive nscd_disable_trans --> inactive ntpd_disable_trans --> inactive pegasus_disable_trans --> inactive portmap_disable_trans --> inactive postgresql_disable_trans --> inactive pppd_can_insmod --> inactive pppd_disable_trans --> inactive pppd_for_user --> inactive pptp_disable_trans --> inactive privoxy_disable_trans --> inactive ptal_disable_trans --> inactive radiusd_disable_trans --> inactive radvd_disable_trans --> inactive read_default_t --> active rlogind_disable_trans --> inactive rpcd_disable_trans --> inactive rsync_disable_trans --> inactive samba_enable_home_dirs --> inactive saslauthd_disable_trans --> inactive slapd_disable_trans --> inactive smbd_disable_trans --> inactive snmpd_disable_trans --> inactive squid_connect_any --> inactive squid_disable_trans --> inactive stunnel_disable_trans --> inactive stunnel_is_daemon --> inactive syslogd_disable_trans --> inactive system_dbusd_disable_trans --> inactive telnetd_disable_trans --> inactive tftpd_disable_trans --> active udev_disable_trans --> inactive use_nfs_home_dirs --> inactive use_samba_home_dirs --> inactive uucpd_disable_trans --> inactive winbind_disable_trans --> inactive ypbind_disable_trans --> inactive ypserv_disable_trans --> inactive zebra_disable_trans --> inactive
-- Valery A.Khamenya
Valery Khamenya wrote:
Try public_content_rw_t?
now tried. Nothing works after applying public_content_rw_t now. Neither ftp, nor scp nor even web.
you need to turn on the correct booleans to allow it to work.
setsebool -P allow_ftpd_anon_write=1
Let me know please if i could bring some reasonable logs.
Thank you in advance for any further help, best regards, Valery.
P.S. below goes the ... # getsebool -a NetworkManager_disable_trans --> inactive allow_execmem --> active allow_execmod --> active allow_execstack --> active allow_ftpd_anon_write --> inactive allow_gssd_read_tmp --> active allow_httpd_anon_write --> inactive allow_httpd_sys_script_anon_write --> inactive allow_kerberos --> active allow_rsync_anon_write --> inactive allow_saslauthd_read_shadow --> inactive allow_smbd_anon_write --> inactive allow_write_xshm --> inactive allow_ypbind --> inactive apmd_disable_trans --> inactive arpwatch_disable_trans --> inactive auditd_disable_trans --> inactive bluetooth_disable_trans --> inactive canna_disable_trans --> inactive cardmgr_disable_trans --> inactive comsat_disable_trans --> inactive cupsd_config_disable_trans --> inactive cupsd_disable_trans --> inactive cupsd_lpd_disable_trans --> inactive cvs_disable_trans --> inactive cyrus_disable_trans --> inactive dbskkd_disable_trans --> inactive dhcpc_disable_trans --> inactive dhcpd_disable_trans --> inactive dovecot_disable_trans --> inactive fingerd_disable_trans --> inactive ftp_home_dir --> active ftpd_disable_trans --> active ftpd_is_daemon --> active gssd_disable_trans --> inactive hald_disable_trans --> inactive hotplug_disable_trans --> inactive howl_disable_trans --> inactive hplip_disable_trans --> inactive httpd_builtin_scripting --> active httpd_can_network_connect --> inactive httpd_disable_trans --> inactive httpd_enable_cgi --> active httpd_enable_homedirs --> active httpd_ssi_exec --> active httpd_suexec_disable_trans --> inactive httpd_tty_comm --> inactive httpd_unified --> active inetd_child_disable_trans --> inactive inetd_disable_trans --> inactive innd_disable_trans --> inactive kadmind_disable_trans --> inactive klogd_disable_trans --> inactive krb5kdc_disable_trans --> inactive ktalkd_disable_trans --> inactive lpd_disable_trans --> inactive mysqld_disable_trans --> inactive named_disable_trans --> inactive named_write_master_zones --> inactive nfs_export_all_ro --> active nfs_export_all_rw --> active nfsd_disable_trans --> inactive nmbd_disable_trans --> inactive nscd_disable_trans --> inactive ntpd_disable_trans --> inactive pegasus_disable_trans --> inactive portmap_disable_trans --> inactive postgresql_disable_trans --> inactive pppd_can_insmod --> inactive pppd_disable_trans --> inactive pppd_for_user --> inactive pptp_disable_trans --> inactive privoxy_disable_trans --> inactive ptal_disable_trans --> inactive radiusd_disable_trans --> inactive radvd_disable_trans --> inactive read_default_t --> active rlogind_disable_trans --> inactive rpcd_disable_trans --> inactive rsync_disable_trans --> inactive samba_enable_home_dirs --> inactive saslauthd_disable_trans --> inactive slapd_disable_trans --> inactive smbd_disable_trans --> inactive snmpd_disable_trans --> inactive squid_connect_any --> inactive squid_disable_trans --> inactive stunnel_disable_trans --> inactive stunnel_is_daemon --> inactive syslogd_disable_trans --> inactive system_dbusd_disable_trans --> inactive telnetd_disable_trans --> inactive tftpd_disable_trans --> active udev_disable_trans --> inactive use_nfs_home_dirs --> inactive use_samba_home_dirs --> inactive uucpd_disable_trans --> inactive winbind_disable_trans --> inactive ypbind_disable_trans --> inactive ypserv_disable_trans --> inactive zebra_disable_trans --> inactive
-- Valery A.Khamenya
you need to turn on the correct booleans to allow it to work. setsebool -P allow_ftpd_anon_write=1
sounds like anonymous are allowed now by selinux...
First funny thing that access was not annymous, so why it was disabled before allow_ftpd_anon_write was changed?
Secondly, public_content_rw_t still disallows the apache to access web pages. And if I bring httpd_sys_content_t back then apache is OK and vsftpd doesn't work :)
Well, either ftp or apache. But not together now.
-- Valery A.Khamenya
Valery Khamenya wrote:
you need to turn on the correct booleans to allow it to work. setsebool -P allow_ftpd_anon_write=1
sounds like anonymous are allowed now by selinux...
First funny thing that access was not annymous, so why it was disabled before allow_ftpd_anon_write was changed?
Secondly, public_content_rw_t still disallows the apache to access web pages. And if I bring httpd_sys_content_t back then apache is OK and vsftpd doesn't work :)
Well, either ftp or apache. But not together now.
-- Valery A.Khamenya
You need to set this boolean for each domain that needs the write capability. (httpd, rsync, smbd, ftpd)
setsebool -P allow_httpd_anon_write=1
man ftpd_selinux man httpd_selinux ...
Should describe the usage
Hi,
I want to customise my site with additional file contexts and rules.
Where is the correct place to create the new files contexts so they are specific to my site and not erased by future releases? How do I get them included in the Make?
I assume there is some mechanism like domains/misc/local.te but for contexts
On Tue, 2005-10-18 at 11:50 +0800, Jeremy Ardley wrote:
Hi,
I want to customise my site with additional file contexts and rules.
Where is the correct place to create the new files contexts so they are specific to my site and not erased by future releases? How do I get them included in the Make?
I assume there is some mechanism like domains/misc/local.te but for contexts
Try file_contexts/misc/local.fc
Paul.
On Tue, 2005-10-18 at 08:02 +0100, Paul Howarth wrote:
On Tue, 2005-10-18 at 11:50 +0800, Jeremy Ardley wrote:
Hi,
I want to customise my site with additional file contexts and rules.
Where is the correct place to create the new files contexts so they are specific to my site and not erased by future releases? How do I get them included in the Make?
I assume there is some mechanism like domains/misc/local.te but for contexts
Try file_contexts/misc/local.fc
That would work as well, but requires the policy sources and rebuilding the policy. Better to create a /etc/selinux/$SELINUXTYPE/contexts/files/file_contexts.local file, which is consulted at runtime by the matchpathcon(3) libselinux function used by setfiles, restorecon, etc.
And in the future (FC5), you can build your own policy module and module package and link it into the distro-provided policy without disturbing the distro-provided policy at all.
On Tue, 2005-10-18 at 11:50 +0800, Jeremy Ardley wrote:
Hi,
I want to customise my site with additional file contexts and rules.
Where is the correct place to create the new files contexts so they are specific to my site and not erased by future releases? How do I get them included in the Make?
I assume there is some mechanism like domains/misc/local.te but for contexts
/etc/selinux/$SELINUXTYPE/contexts/files/file_contexts.local where $SELINUXTYPE is defined in your /etc/selinux/config (default is targeted).
selinux@lists.fedoraproject.org
-
Daniel J Walsh -
Jeremy Ardley -
Paul Howarth -
Stephen Smalley -
Valery Khamenya