-----Original Message-----
From: Daniel J Walsh [mailto:dwalsh@redhat.com]
Sent: Thursday, December 22, 2005 12:33 PM
To: Al Pacifico
Cc: fedora-selinux-list(a)redhat.com
Subject: Re: Neophyte question re: httpd under
SELinux
Al Pacifico wrote:
> Marcus-
>
> Thanks for your response.
>
> This helped some, I think, but I still have my
issues.
>
> The URL
>
http://fedora.redhat.com/docs/selinux-apache-fc3/sn-debugging-and-customizin
> g.html#sn-httpd-booleans didn't contribute much.
>
> Output of ls -Z showed directories of my .../test
directory as
> user_u:object_r:user_home_t.
>
> Changing context with chcon -Rv -t
httpd_sys_script_t ./test (as root) did
> not work... lot of permission denied messages. My
machine has a multidisk
> setup and /home is its own partition or disk; not
sure if that matters.
>
> Output of getsebool -a | grep httpd is:
>
> allow_httpd_anon_write --> inactive
> allow_httpd_sys_script_anon_write --> inactive
> httpd_builtin_scripting --> active
> httpd_can_network_connect --> inactive
> httpd_disable_trans --> active
> httpd_enable_cgi --> active
> httpd_enable_ftp_server --> inactive
> httpd_enable_homedirs --> active
> httpd_ssi_exec --> active
> httpd_suexec_disable_trans --> inactive
> httpd_tty_comm --> inactive
> httpd_unified --> active
>
> I totally agree with the comment about placing
files in the correct
places,
> on a production machine. However, numerous apache
modules come with
testing
> suites that use the system httpd executable
(appropriately) in other
> locations.
>
> I'm starting to believe that I should either use
setenforce 0 when
> developing. If I do that, and forget to turn it
back on, will there be
some
> ugly ramifications later? I have to halt httpd
from the console using
ctrl-C
> because of the -X option, so I can't just stick
setenforce 1 in my script.
> (Hmm.... how do I trap ctrl-C in a bash script?) I
could switch to testing
> with lighttpd for CGI and SCGI, but I do need to
test some apache modules
> for which that is not an option.
>
> Two things I still don't unmderstand:
> Why doesn't the "Disable SELinux protection for
httpd daemon" checkbox
just
> take care of the problem?
> My /var/log/messages didn't help me... doesn't
show all those permission
> denied messages when I tried to recusively change
the context in my
.../test
> directory. Should I be looking elsewhere? Do I
need to tell SELinux
> something?
>
> I'm sorry if my questions are pretty basic; I
definitely fall in the
> category of 80% just want to get the job done and
20% want to know more.
>
> Thanks.
> -al
>
> -----Original Message-----
> From: fedora-selinux-list-bounces(a)redhat.com
> [mailto:fedora-selinux-list-bounces@redhat.com] On
Behalf Of Marcus O.
White
> Sent: Wednesday, December 21, 2005 2:20 AM
> To: fedora-selinux-list(a)redhat.com
> Subject: Re: Neophyte question re: httpd under
SELinux
>
> On Tue, 2005-12-20 at 22:26 -0800, Al Pacifico
wrote:
>
>> I'm working on a CGI program in C, but recently
SELinux seems to have
>> tripped me up.
>>
>> I started with Tom Boutell's cgic and an example
CGI program (provided in
>> his source tree) that generates a JPEG on the
fly. It ran fine months
back
>> with the following script:
>>
>> dir=$(dirname $0)
>> /usr/sbin/httpd -X -k start -d $dir -e debug
>>
>> on my FC4 machine.
>>
>> Now, it's time to start testing the program I
wrote, but my Apache
>>
> (version
>
>> 2.0.54, installed from Fedora RPM, if it matters)
won't start unless I
>> execute /usr/sbin/setenforce 0 before executing
my script. (it took me a
>> while to figure that one out!). In fact,
/usr/sbin/httpd -v won't even
>>
> work.
>
>> I'm sure the SELinux policy has updated via yum
since times when it
>>
> worked,
>
>> and that explains the change. I tried checking
"Disable SELinux
protection
>> for httpd daemon" in the
system-config-securitylevel dialog and
>>
> relabelling
>
>> my filesystems, but I still need to execute
/usr/sbin/setenforce 0
>> beforehand to run my script that starts httpd
with my CGI program.
>>
>> If it helps, the example CGI program (not the one
I've written, but Tom
>> Boutell's that formerly ran) is in the directory
>>
>>
/home/myuser/Development/myproject/imageFromCGI_test/test
>>
>> and
>>
>> ls -l
/home/myuser/Development/myproject/imageFromCGI_test/test
outputs
>>
>> total 52
>> drwxrwxr-x 2 myuser apache 4096 Sep 9 10:03
cgi-bin
>> drwxrwxr-x 2 myuser apache 4096 Sep 9 13:07
conf
>> -rwxr-xr-x 1 root root 63 Dec 20 14:38
debug_CGI
>> drwxrwxr-x 2 myuser apache 4096 Sep 9 12:08
htdocs
>> drwxrwxr-x 2 myuser apache 4096 Sep 9 12:04
logs
>> lrwxrwxrwx 1 root root 18 Sep 9 09:52
modules -> /etc/httpd/modules
>> drwxrwxr-x 2 myuser apache 4096 Sep 9 12:04 run
>>
>> (probably only makes sense if you're accustomed
to configuring apache;
>>
> this
>
>> directory is essentially the argument to the
Apache ServerRoot
directive).
>>
>> I inferred that the directory might be important
since /sbin/service
httpd
>> start works fine, regardless of state of
aforementioned checkbox.
>>
>> What bugs me is that I don't get any kind of
warning... apache just never
>> starts.
>> Q: How do I get warnings? (grep avc
/var/log/messages was of no help to
my
>> pea-brain)
>> Q: What else do I need to change to alter this
behavior?
>>
>> I understand that for a production machine,
SELinux is a good thing. I
>> hadn't installed it when I used FC2 and hadn't
had much problem with FC3
>>
> or
>
>> with FC4 until yesterday. I have to believe there
is a better way than
>>
> just
>
>> turning it off.
>>
>> Thanks.
>> -al
>>
>> Al Pacifico
>> Seattle, WA
>>
>>
>>
>>
>> --
>> fedora-selinux-list mailing list
>> fedora-selinux-list(a)redhat.com
>>
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>
>
> >From RHEL list:
>
> Gavin Young wrote:
>
>> Hey guys, hopefully someone out there can help me
with this because
>>
> I'm
>
>> an SELinux virgin so to speak.
>>
>> We have a RHEL v4 box running apache amongst
other things. No changes
>> have been made to the standard Redhat policies.
>>
>
> I'm no expert but I am trying to wade through
Apache/selinux issues as
> well.
> You might find the following "beta" document
helpful:
>
>
<
http://fedora.redhat.com/docs/selinux-apache-fc3/sn-debugging-and-customizi
> ng.html#sn-httpd-booleans>
>
> -------------------
> On Fri, 4 Mar 2005, Gavin Young wrote:
>
>
>> Hey guys, hopefully someone out there can help me
with this because
>>
> I'm
>
>> an SELinux virgin so to speak.
>>
>> We have a RHEL v4 box running apache amongst
other things. No changes
>> have been made to the standard Redhat policies.
>>
>> We are wanting to run a perl based web app
(Sql-Ledger)
>> from /usr/local/sql-ledger but SELinux is
stopping us.
>>
>> With SELinux disabled it works correctly. When
SELinux protection of
>>
> the
>
>> HTTPD daemon is switched on the browser displays:
Internal Server
>>
> Error
>
>> and /var/log/messages reports
>>
>> Mar 3 15:13:23 zorb1 kernel:
audit(1109816003.103:0): avc: denied
>> { execute } for pid=24711 exe=/usr/sbin/httpd
name=login.pl dev=dm-0
>> ino=9228595 scontext=root:system_r:httpd_t
>>
> tcontext=root:object_r:usr_t
>
>> tclass=file
>>
>>
>>> From what I can tell SELinux is stopping scripts
being run from any
>>>
>> other directory apart from /var/www/cgi-bin. I
have tried moving the
>> sql-ledger directory into cgi-bin but that
doesn't appear to help
>> because it is still a sub-directory of cgi-bin.
>>
>
> The release notes give a hint to the right
direction but doesn't
> directly
> talk about cgi - you need to set the file contexts
of the sql-ledger
> stuff
> as cgi-content, something like this:
> "chcon -R -h -t httpd_sys_script_exec_t <path to
slq-ledger directory>"
>
> - Panu -
>
> ----------------------
>
> What are the HTTPD Booleans set to?
>
> getsebool -a | grep httpd
>
> httpd_enable_cgi needs to be active, if it is not.
That wouldn't
> generate the denial you have, so think of this as
a "is it plugged in?"
> type of question.
>
>
>> We are wanting to run a perl based web app
(Sql-Ledger)
>> from /usr/local/sql-ledger but SELinux is
stopping us.
>>
>
> This is where someone could correct me for best
practices advise.
>
> You want to seriously consider moving the CGI
program to the appropriate
> directory. Otherwise, you are trying to give
Apache execute access to
> something inside of /usr/local/ ...
>
> To do this in /usr/local/, you will need to change
policy or
> relabel /usr/local/ to make this happen, which
will serve to reduce
> security on the system.
>
>
>> With SELinux disabled it works correctly. When
SELinux protection of
>>
> the
>
>> HTTPD daemon is switched on the browser displays:
Internal Server
>>
> Error
>
>> and /var/log/messages reports
>>
>> Mar 3 15:13:23 zorb1 kernel:
audit(1109816003.103:0): avc: denied
>> { execute } for pid=24711 exe=/usr/sbin/httpd
name=login.pl dev=dm-0
>> ino=9228595 scontext=root:system_r:httpd_t
>>
> tcontext=root:object_r:usr_t
>
>> tclass=file
>>
>> >From what I can tell SELinux is stopping scripts
being run from any
>> other directory apart from /var/www/cgi-bin. I
have tried moving the
>> sql-ledger directory into cgi-bin but that
doesn't appear to help
>> because it is still a sub-directory of cgi-bin.
>>
>
> That shouldn't be a problem. You just need to
relabel the directory
> recursively. This should work, and is a good
practice since it refers
> to the mapping of labels to directories/files as
defined by the policy:
>
> restorecon -Rv /var/www/cgi-bin/sql-ledger/
>
> If ls -Z doesn't show that the type is
httpd_sys_script_t, do this:
>
> chcon -Rv -t httpd_sys_script_t
/var/www/cgi-bin/sql-ledger/
>
>
>> This problem must have come up before... Any help
would be much
>> appreciated.
>>
>
> Yeah, almost qualifies for a FAQ.
>
> Future updates to the Red Hat SELinux Guide[1]
will likely address
> Apache more thoroughly.
>
> - Karsten
> [1]
>
http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/selinux-guide/in
> dex.html
>
> HTH
>
> Marcus O.
>
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list(a)redhat.com
>
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
>
>
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list(a)redhat.com
>
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
What avc messages are you seeing. With
httpd_enable_homedirs turned on
apache should be able to read your homedirs.
If you are seeing file_t in your
/var/log/audit/audit.log then you
probably need to relabel your system.
touch /.autorelabel
reboot
--
Thanks, Daniel!
Still stumped. I've reduced this to a simple case that
can be executed on any FC4 box (updated via yum) that
has the httpd RPM and SELinux, so that you might be
able to look on your machine.
[root@powell imageFromCGI_test]# /usr/sbin/httpd -V
<expected to see server version, etc, but no
response>
[root@powell imageFromCGI_test]# /usr/sbin/setenforce
0
<try again with SELinux off>
[root@powell imageFromCGI_test]# /usr/sbin/httpd -V
Server version: Apache/2.0.54
Server built: Sep 2 2005 11:54:18
<snip>
[root@powell imageFromCGI_test]# /usr/sbin/setenforce
1
<SELinux back on>
[root@powell imageFromCGI_test]# /usr/sbin/httpd -V
[root@powell imageFromCGI_test]#
Output of grep AVC /var/log/audit/audit.log now ends
with:
type=AVC msg=audit(1135317046.340:535): avc: granted
{ setenforce } for pid=8452 comm="setenforce"
scontext=root:system_r:unconfined_t
tcontext=system_u:object_r:security_t tclass=security
type=AVC msg=audit(1135317060.595:536): avc: granted
{ setenforce } for pid=8454 comm="setenforce"
scontext=root:system_r:unconfined_t
tcontext=system_u:object_r:security_t tclass=security
Shouldn't there have been a message following the last
line saying my execution of /usr/sbin/httpd -V was
denied?
Output of getsebool -a | grep httpd is still:
allow_httpd_anon_write --> inactive
allow_httpd_sys_script_anon_write --> inactive
httpd_builtin_scripting --> active
httpd_can_network_connect --> inactive
httpd_disable_trans --> active
httpd_enable_cgi --> active
httpd_enable_ftp_server --> inactive
httpd_enable_homedirs --> active
httpd_ssi_exec --> active
httpd_suexec_disable_trans --> inactive
httpd_tty_comm --> inactive
httpd_unified --> active
Any ideas? Clearly, I'm missing something, here.
-al
__________________________________
Yahoo! for Good - Make a difference this year.
http://brand.yahoo.com/cybergivingweek2005/