Hi Everyone,
I need a little help in determining the proper SELinux context for data files served by Nginx. SELinux is in enforcing mode. The web server static pages are at /var/www/html (for historic reasons). The data files are in the filesystem in /var, but at /var/ftc-data. There's also a soft symlink at /var/www/html/ftc-data that points to /var/ftc-data.
/var/www/html is working as expected, but I am getting a 403 on the data files and the data file directory. I.e., I get a 403 on http://www.example.com/ftc-data, even though the directory is ugo+x.
The filesystem topology of interest is:
+------+ | /var | +------+ / \ / \ / \ www ftc-data / |+ file1.dat / |+ file2.dat / |+ file3.dat html |+ index.html |+ symlink to ftc-data
/var/www and /var/www/html have system_u:object_r:httpd_sys_content_t:s0. The web server is serving the static html files Ok.
/var/ftc-data has unconfined_u:object_r:var_t:s0. I am not thrilled about unconfined_u, and I am pretty sure var_t should be httpd_sys_content_t.
The last wrinkle is, the data files get updated once a day using a systemd timer. So systemd needs write access to /var/ftc-data.
Would someone help me understand what SELinux context should be for /var/ftc-data, please?
Thanks in advance.
On 11/19/24 13:09, Jeffrey Walton via selinux wrote:
So systemd needs write access to /var/ftc-data.
Would someone help me understand what SELinux context should be for /var/ftc-data, please?
Thanks in advance.
So what context is systemd running as when it needs to write those files?
And what audit messages are generated on the failed attempts to write?
And then you need an selinux policy to set those contexts for the files and/or parent directories or else everything just gets clobbered all over again on updates or file system relabels.
Other than that I am not an expert and that is about all I can say on the subject. If anyone else cares to elaborate. Planning to move from CentOS to Fedora with, of course, selinux enforcing, so I will be dealing with similar issues very soon.
On Tue, Nov 19, 2024 at 6:10 PM justina colmena ~biz justina@colmena.biz wrote:
On 11/19/24 13:09, Jeffrey Walton via selinux wrote:
So systemd needs write access to /var/ftc-data.
Would someone help me understand what SELinux context should be for /var/ftc-data, please?
Thanks in advance.
So what context is systemd running as when it needs to write those files?
And what audit messages are generated on the failed attempts to write?
Ok, so I zero'd in on one of them in the log file. In the entry below, I am trying to fetch one of the data files using the url https://www.example.com/ftc-data/2024-11-19.csv.xz.
<SNIP> # cat /var/log/audit/audit.log | audit2why ... type=AVC msg=audit(1732061270.500:145): avc: denied { read } for pid=1109 comm="nginx" name="2024-11-19.csv.xz" dev="dm-0" ino=8827640 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:var_t:s0 tclass=file permissive=0
Was caused by: Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access. </SNIP>
But I don't think the answer is an allow rule. I _think_ /var/ftc-data needs to use httpd_sys_content_t, not var_t.
And then you need an selinux policy to set those contexts for the files and/or parent directories or else everything just gets clobbered all over again on updates or file system relabels.
Got it.
Other than that I am not an expert and that is about all I can say on the subject. If anyone else cares to elaborate. Planning to move from CentOS to Fedora with, of course, selinux enforcing, so I will be dealing with similar issues very soon.
Good luck when you migrate.
Jeff
On 11/19/24 16:49, Jeffrey Walton wrote:
But I don't think the answer is an allow rule. I _think_ /var/ftc-data needs to use httpd_sys_content_t, not var_t.
The "httpd_sys_content_t" selinux context is usually defined in an selinux policy module dependency when apache is installed in fedora. I'm not sure anything specific has been developed for nginx per se. ymmv, whatever selinux policies have been developed and packaged for common server software. It's been a while, things are rather outdated now, but I believe I've had better luck installing apache and just not using it but leaving it installed while running nginx, because the selinux policies that have been developed in the past for apache usually "just work" with nginx, "httpd_sys_content_t"and everything, although I don't know that piggybacking too much software is the "right" solution either.
On Tue, Nov 19, 2024 at 8:53 PM justina colmena ~biz justina@colmena.biz wrote:
On 11/19/24 16:49, Jeffrey Walton wrote:
But I don't think the answer is an allow rule. I _think_ /var/ftc-data needs to use httpd_sys_content_t, not var_t.
The "httpd_sys_content_t" selinux context is usually defined in an selinux policy module dependency when apache is installed in fedora. I'm not sure anything specific has been developed for nginx per se. ymmv, whatever selinux policies have been developed and packaged for common server software. It's been a while, things are rather outdated now, but I believe I've had better luck installing apache and just not using it but leaving it installed while running nginx, because the selinux policies that have been developed in the past for apache usually "just work" with nginx, "httpd_sys_content_t"and everything, although I don't know that piggybacking too much software is the "right" solution either.
Yeah, I believe you're right about things just working with Nginx because of Apache.
I did check things after the initial Nginx install, before any modifications happened. Here's what I found:
* default conf file is /etc/nginx/nginx.conf * default document root is /usr/share/nginx/html
And:
# ls -Z /usr/share/nginx/html system_u:object_r:httpd_sys_content_t:s0 index.html system_u:object_r:httpd_sys_content_t:s0 nginx-logo.png ...
I believe "system_u:object_r:httpd_sys_content_t:s0" is the same as Apache at /var/www/html (and friends). Indeed, when I created /var/www/html and restorecon'd:
# ls -Z /var/ system_u:object_r:httpd_sys_content_t:s0 html ... # ls -Z /var/www/ system_u:object_r:httpd_sys_content_t:s0 html
(There's probably a way to list the rules for /var/www(/.*)? (or whatever that RE syntax is), but I don't know them).
Related, I recently added more topics to Fedora's docs on Nginx at https://fedoraproject.org/wiki/Nginx. It touches on SELinux under the section File Permissions. Please feel free to make corrections.
Jeff
On 19/11/2024 21:09, Jeffrey Walton via selinux wrote:
Hi Everyone,
I need a little help in determining the proper SELinux context for data files served by Nginx. SELinux is in enforcing mode. The web server static pages are at /var/www/html (for historic reasons). The data files are in the filesystem in /var, but at /var/ftc-data. There's also a soft symlink at /var/www/html/ftc-data that points to /var/ftc-data.
/var/www/html is working as expected, but I am getting a 403 on the data files and the data file directory. I.e., I get a 403 on http://www.example.com/ftc-data, even though the directory is ugo+x.
The filesystem topology of interest is:
+------+ | /var | +------+ / \ / \ / \ www ftc-data / |+ file1.dat / |+ file2.dat / |+ file3.dat html |+ index.html |+ symlink to ftc-data
/var/www and /var/www/html have system_u:object_r:httpd_sys_content_t:s0. The web server is serving the static html files Ok.
/var/ftc-data has unconfined_u:object_r:var_t:s0. I am not thrilled about unconfined_u, and I am pretty sure var_t should be httpd_sys_content_t.
The last wrinkle is, the data files get updated once a day using a systemd timer. So systemd needs write access to /var/ftc-data.
Would someone help me understand what SELinux context should be for /var/ftc-data, please?
Thanks in advance.
Sounds like you want to change the label of /var/ftc-data to httpd_sys_content_t. There's an example of how to use matchpathcon, semanage-fcontext and restorecon to achieve this here:
https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html-sin...
... and there's also http_selinux(8) which lists all the httpd-related types and booleans etc.
As for your timer unit, the service it launches likely already runs as unconfined_service_t, so SELinux won't prevent it from writing to /var/ftc-data. So you shouldn't need to do anything here unless you want to write a custom policy for the service.
However there's one thing that might trip you up: if you try to write your service as a shell script one-liner (e.g., ExecStart=/bin/bash -c '...') then you'll find it ends up running as initrc_t, which is confined & likely won't be allowed to mess with files labelled with http_sys_content_t.
# sesearch -T -s init_t -t shell_exec_t -c process type_transition init_t shell_exec_t:process initrc_t;
You must put your scripts into files labelled with bin_t or usr_t (the default for /usr/local/bin, /usr/local/libexec, etc) and that way they will end up running as unconfined_service_t.
# sesearch -T -s init_t -c process -D unconfined_service_t type_transition init_t bin_t:process unconfined_service_t; type_transition init_t usr_t:process unconfined_service_t;
Likely for any non-trivial service you're already doing that, but I thought I'd mention it anyway because this was a stumbling block for me while I was learning how to use SELinux properly.
The reason for this a bit obscure, and I don't really understand it; perhaps someone else reading this might be able to fill me in? I understand that back in the day, sysvinit (running as init_t) would need to ensure that its init scripts were run as initrc_t, hence the transition rule triggered by executing a file lablled shell_exec_t above.
However, init scripts are labelled with initrc_exec_t, and this rule exists:
# sesearch -T -s init_t -t initrc_exec_t -c process type_transition init_t initrc_exec_t:process initrc_t;
... so why is this rule not sufficient? What's the need for the rule that transitions to initrc_t when a file labelled with shell_exec_t is executed? Something I've always wondered but never asked about before. :)
Am 20.11.24 um 13:06 schrieb Trevor Hemsley via selinux:
On 20/11/2024 12:03, Sam Morris via selinux wrote:
There's also a soft symlink at /var/www/html/ftc-data that points to /var/ftc-data
Why not just bind mount /var/ftc-data on /var/www/html/ftc-data?
one might also use the equal option of fcontext:
semanage fcontext --add --equal /var/www/html/ /var/ftc-data/ restorecon -rv /var/ftc-data
To have the same selinux fcontext for /var/ftc-data as /var/www/html
IDK looks sort of like the NSA SELinux cops are going out on disability from that government employees union with their top secret drop ceiling tiles, fluorescent lights, sound-deadening cubicle partitions, computer screen locks for authorized bathroom breaks, office worker performance metrics from the IT department, potted plants on the windowsills, commercial carpet, and by the way has the guy with the handtruck come to replace the five-gallon jug on the water cooler yet? Total zone-out in the whole office, or is that a bong in the other cubicle? Is there random drug testing at the SELinux workplace like they have at OpenBSD?
On 11/19/24 13:09, Jeffrey Walton via selinux wrote:
Hi Everyone,
I need a little help in determining the proper SELinux context for data files served by Nginx. SELinux is in enforcing mode. The web server static pages are at /var/www/html (for historic reasons). The data files are in the filesystem in /var, but at /var/ftc-data. There's also a soft symlink at /var/www/html/ftc-data that points to /var/ftc-data.
/var/www/html is working as expected, but I am getting a 403 on the data files and the data file directory. I.e., I get a 403 on http://www.example.com/ftc-data, even though the directory is ugo+x.
The filesystem topology of interest is:
+------+ | /var | +------+ / \ / \ / \ www ftc-data / |+ file1.dat / |+ file2.dat / |+ file3.dat html |+ index.html |+ symlink to ftc-data
/var/www and /var/www/html have system_u:object_r:httpd_sys_content_t:s0. The web server is serving the static html files Ok.
/var/ftc-data has unconfined_u:object_r:var_t:s0. I am not thrilled about unconfined_u, and I am pretty sure var_t should be httpd_sys_content_t.
The last wrinkle is, the data files get updated once a day using a systemd timer. So systemd needs write access to /var/ftc-data.
Would someone help me understand what SELinux context should be for /var/ftc-data, please?
Thanks in advance.
selinux@lists.fedoraproject.org