A common virtual web hosting set up would be a web root directory location with the following sub directories: ftp logs pages pages/cgi-bin
Under ftp you would have all that is needed for a chroot ftp sandbox. Since each virtual host would be a different user and or company how does one change sebool httpd_unified to off and get it all to work with selinux?
On Thu, Dec 03, 2009 at 08:35:56PM -0800, David Highley wrote:
A common virtual web hosting set up would be a web root directory location with the following sub directories: ftp logs pages pages/cgi-bin
Under ftp you would have all that is needed for a chroot ftp sandbox. Since each virtual host would be a different user and or company how does one change sebool httpd_unified to off and get it all to work with selinux?
Well PHP needs httpd_unified but if you use CGI like perl or c or bash or whatever then basically you would set httpd_enable_cgi and httpd_builtin_scripting booleans. Then label the locations with a proper type.
for example:
# ftp: /srv/ftproot(/.*)? public_content_rw_t setsebool -P allow_ftpd_anon_write on (allow ftpd to write to /srv/ftproot setsebool -P allow_httpd_anon_write on (allow httpd to write to /srv/ftproot) (for php/httpd unified) setsebool -P allow_httpd_sys_script_anon_write on (allow httpd system cgi scripts to write to /srv/ftproot (other cgi)
# logs /srv/www/logs(/.*)? httpd_sys_content_ra_t
# static content /srv/www/html(/.*)? httpd_sys_content_t
# cgi /srv/www/cgi-bin(/.*)? httpd_sys_script_exec_t
The above is just an example. It may or may not be what you would want.
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
"Dominick Grift wrote:"
--===============0256136332== Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="Fig2xvG2VGoz8o/s" Content-Disposition: inline
--Fig2xvG2VGoz8o/s Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable
On Thu, Dec 03, 2009 at 08:35:56PM -0800, David Highley wrote:
A common virtual web hosting set up would be a web root directory location with the following sub directories: ftp logs pages pages/cgi-bin =20 Under ftp you would have all that is needed for a chroot ftp sandbox. Since each virtual host would be a different user and or company how does one change sebool httpd_unified to off and get it all to work with selinux?
Well PHP needs httpd_unified but if you use CGI like perl or c or bash or w= hatever then basically you would set httpd_enable_cgi and httpd_builtin_scr= ipting booleans. Then label the locations with a proper type.
I'm not sure the statement that PHP needs httpd_unified on is correct in Fedora 12. I just finished doing some testing of Mythtv with this setting turned off. I tested all TV recording, weather, and streaming video available through the web interace and it all seems to be working now. Granted there is a lot more to full backend Mythtv setup but it was looking pretty good. Dan has put in two policy updates which should be out pretty soon.
I'm not done, but I also ran a quick test of squirrelmail with dovecot for off site email access and that appears to be working. Squirrelmail is all PHP.
for example:
# ftp: /srv/ftproot(/.*)? public_content_rw_t setsebool -P allow_ftpd_anon_write on (allow ftpd to write to /srv/ftproot setsebool -P allow_httpd_anon_write on (allow httpd to write to /srv/ftproo= t) (for php/httpd unified) setsebool -P allow_httpd_sys_script_anon_write on (allow httpd system cgi s= cripts to write to /srv/ftproot (other cgi)
# logs /srv/www/logs(/.*)? httpd_sys_content_ra_t=20
# static content /srv/www/html(/.*)? httpd_sys_content_t
# cgi /srv/www/cgi-bin(/.*)? httpd_sys_script_exec_t
The above is just an example. It may or may not be what you would want.
=20
fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
--Fig2xvG2VGoz8o/s Content-Type: application/pgp-signature Content-Disposition: inline
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAksY2X4ACgkQMlxVo39jgT84SgCffFYU9S9JDB05qOuelRkKZgxR PO8AoKssSIRvpVYEuZXCZOYZUXd9SZ0r =nF/1 -----END PGP SIGNATURE-----
--Fig2xvG2VGoz8o/s--
--===============0256136332== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list --===============0256136332==--
On Fri, Dec 04, 2009 at 06:45:39AM -0800, David Highley wrote:
"Dominick Grift wrote:"
--===============0256136332== Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="Fig2xvG2VGoz8o/s" Content-Disposition: inline
--Fig2xvG2VGoz8o/s Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable
On Thu, Dec 03, 2009 at 08:35:56PM -0800, David Highley wrote:
A common virtual web hosting set up would be a web root directory location with the following sub directories: ftp logs pages pages/cgi-bin =20 Under ftp you would have all that is needed for a chroot ftp sandbox. Since each virtual host would be a different user and or company how does one change sebool httpd_unified to off and get it all to work with selinux?
Well PHP needs httpd_unified but if you use CGI like perl or c or bash or w= hatever then basically you would set httpd_enable_cgi and httpd_builtin_scr= ipting booleans. Then label the locations with a proper type.
I'm not sure the statement that PHP needs httpd_unified on is correct in Fedora 12. I just finished doing some testing of Mythtv with this setting turned off. I tested all TV recording, weather, and streaming video available through the web interace and it all seems to be working now. Granted there is a lot more to full backend Mythtv setup but it was looking pretty good. Dan has put in two policy updates which should be out pretty soon.
I'm not done, but I also ran a quick test of squirrelmail with dovecot for off site email access and that appears to be working. Squirrelmail is all PHP.
Do your php scripts run with the httpd_sys_script_t or with the httpd_t type?
for example:
# ftp: /srv/ftproot(/.*)? public_content_rw_t setsebool -P allow_ftpd_anon_write on (allow ftpd to write to /srv/ftproot setsebool -P allow_httpd_anon_write on (allow httpd to write to /srv/ftproo= t) (for php/httpd unified) setsebool -P allow_httpd_sys_script_anon_write on (allow httpd system cgi s= cripts to write to /srv/ftproot (other cgi)
# logs /srv/www/logs(/.*)? httpd_sys_content_ra_t=20
# static content /srv/www/html(/.*)? httpd_sys_content_t
# cgi /srv/www/cgi-bin(/.*)? httpd_sys_script_exec_t
The above is just an example. It may or may not be what you would want.
=20
fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
--Fig2xvG2VGoz8o/s Content-Type: application/pgp-signature Content-Disposition: inline
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAksY2X4ACgkQMlxVo39jgT84SgCffFYU9S9JDB05qOuelRkKZgxR PO8AoKssSIRvpVYEuZXCZOYZUXd9SZ0r =nF/1 -----END PGP SIGNATURE-----
--Fig2xvG2VGoz8o/s--
--===============0256136332== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list --===============0256136332==--
--
Regards,
David Highley Highley Recommended, Inc. Phone: (206) 669-0081 2927 SW 339th Street WEB: http://www.highley-recommended.com Federal Way, WA 98023-7732
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
"Dominick Grift wrote:"
--===============1080715742== Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="llIrKcgUOe3dCx0c" Content-Disposition: inline
--llIrKcgUOe3dCx0c Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable
On Fri, Dec 04, 2009 at 06:45:39AM -0800, David Highley wrote:
"Dominick Grift wrote:"
=20 =20 --=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D0256136332=3D=3D Content-Type: multipart/signed; micalg=3Dpgp-sha1; protocol=3D"application/pgp-signature"; boundary=3D"Fig2xvG2VGoz8o/s" Content-Disposition: inline =20 =20 --Fig2xvG2VGoz8o/s Content-Type: text/plain; charset=3Dus-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable =20 On Thu, Dec 03, 2009 at 08:35:56PM -0800, David Highley wrote:
A common virtual web hosting set up would be a web root directory location with the following sub directories: ftp logs pages pages/cgi-bin =3D20 Under ftp you would have all that is needed for a chroot ftp sandbox. Since each virtual host would be a different user and or company how does one change sebool httpd_unified to off and get it all to work wi=
th
selinux?
=20 Well PHP needs httpd_unified but if you use CGI like perl or c or bash =
or w=3D
hatever then basically you would set httpd_enable_cgi and httpd_builtin=
_scr=3D
ipting booleans. Then label the locations with a proper type.
=20 I'm not sure the statement that PHP needs httpd_unified on is correct in Fedora 12. I just finished doing some testing of Mythtv with this setting turned off. I tested all TV recording, weather, and streaming video available through the web interace and it all seems to be working now. Granted there is a lot more to full backend Mythtv setup but it was looking pretty good. Dan has put in two policy updates which should be out pretty soon. =20 I'm not done, but I also ran a quick test of squirrelmail with dovecot for off site email access and that appears to be working. Squirrelmail is all PHP.
Do your php scripts run with the httpd_sys_script_t or with the httpd_t typ= e?
I have not had to change any labels for the PHP files. When I look at squirrelmail, ls -Z /usr/share/squirrelmail/class. I see: system_u:object_r:usr_t:s0
For all files. I do have httpd_builtin_scripting turned on and httpd_can_network_connect is on.
For Mythtv I need to change /usr/share/mythtvweb/mythweb.pl to httpd_sys_script_exec_t and also /usr/share/mythtv/mythweather/scripts. Last it needed /usr/mythweb/data to be httpd_sys_content_t and the recording library storage area if you want to be able to stream video or play with other video players.
=20
=20 for example: =20 # ftp: /srv/ftproot(/.*)? public_content_rw_t setsebool -P allow_ftpd_anon_write on (allow ftpd to write to /srv/ftpr=
oot
setsebool -P allow_httpd_anon_write on (allow httpd to write to /srv/ft=
proo=3D
t) (for php/httpd unified) setsebool -P allow_httpd_sys_script_anon_write on (allow httpd system c=
gi s=3D
cripts to write to /srv/ftproot (other cgi) =20 # logs /srv/www/logs(/.*)? httpd_sys_content_ra_t=3D20 =20 # static content /srv/www/html(/.*)? httpd_sys_content_t =20 # cgi /srv/www/cgi-bin(/.*)? httpd_sys_script_exec_t =20 The above is just an example. It may or may not be what you would want. =20
=3D20
fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
=20 --Fig2xvG2VGoz8o/s Content-Type: application/pgp-signature Content-Disposition: inline =20 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) =20 iEYEARECAAYFAksY2X4ACgkQMlxVo39jgT84SgCffFYU9S9JDB05qOuelRkKZgxR PO8AoKssSIRvpVYEuZXCZOYZUXd9SZ0r =3DnF/1 -----END PGP SIGNATURE----- =20 --Fig2xvG2VGoz8o/s-- =20 =20 --=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D0256136332=3D=3D Content-Type: text/plain; charset=3D"us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline =20 -- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list --=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D0256136332=3D=3D-- =20
=20
fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
--llIrKcgUOe3dCx0c Content-Type: application/pgp-signature Content-Disposition: inline
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAksZI14ACgkQMlxVo39jgT9eaACgyrpSQQw1T+mq+YBpylkmK46G sTcAoJk0a7npKP8NHG5/ZkKzhXUp40WV =5+Ix -----END PGP SIGNATURE-----
--llIrKcgUOe3dCx0c--
--===============1080715742== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list --===============1080715742==--
selinux@lists.fedoraproject.org
-
David Highley -
Dominick Grift