Here's my notes on getting Apache & TWiki to run under SELinux. Basically, I think most people will want to turn SELinux off for apache, but it's not easy without turning it off for the other targeted services too.
First, I wanted to disable SELinux for just Apache, which is supposed to be possible. I ran "system-config-securitylevel", selected the "SELinux" tab, and opened the "transition" list, and selected "Disable Selinux protection for httpd daemon", , clicked "ok", then restarted httpd. Unfortunately, this didn't work.
Second, I stopped enforcing SELinux policy, and noticed that TWiki ran just fine. I'd recommend that people get their cgi scripts running correctly without SELinux before trying to troubleshoot further.
Third, I started enforcing SELinux policy again, and I made sure I set the types appropriately for the cgi scripts and for the files the scripts read/write to using chcon -t httpd_user_script_exec_t <cgi_scripts> chcon -t httpd_sys_content_t <content files and directories> I also used "system-config-securitylevel" and enabled some of the options for Apache -- the unification of types to httpd_sys_content_t, allowing of cgi scripts.
Fourth, I watched /var/log/messages for "avc: denied" messages, and used audit2allow to generate rules: $ cd /etc/selinux/targeted/src/policy $ audit2allow -d -l -o domains/misc/local.te $ vi domains/misc/local.te $ make reload $ service httpd restart And I repeated this process several times, merging the appropriate new rules from audit2allow into my original local.te file.
Here's my local.te file that seems to work so far: allow httpd_sys_script_t sysctl_kernel_t:dir { search }; allow httpd_sys_script_t sysctl_kernel_t:file { read }; allow httpd_sys_script_t sysctl_t:dir { search }; allow httpd_sys_script_t tmp_t:lnk_file { read }; allow httpd_sys_script_t httpd_sys_content_t:dir { read }; allow httpd_sys_script_t httpd_sys_content_t:file { append }; allow httpd_sys_script_t httpd_sys_content_t:dir { write }; allow httpd_sys_script_t httpd_sys_content_t:file { write }; allow httpd_sys_script_t httpd_sys_content_t:dir { add_name }; allow httpd_sys_script_t httpd_sys_content_t:file { create }; allow httpd_sys_script_t httpd_sys_content_t:file { setattr }; allow httpd_sys_script_t httpd_sys_content_t:dir { remove_name }; allow httpd_sys_script_t httpd_sys_content_t:file { rename }; allow httpd_sys_script_t httpd_sys_content_t:file { unlink };
I found the following presentation to be quite helpful: http://web.verbum.org/selinux/linuxfest/img0.html http://web.verbum.org/selinux/linuxfest/text21.html (good slide)
And this was also helpful: http://people.redhat.com/walters/selinux-apache-en/index.html
In the end, I'm glad that turning of the targeted policy for httpd didn't work (using system-config-securitylevel). It forced me to learn more about SELinux (although I feel like I'm just beginning), and hopefully, my server is more secure than before.
- Jared
Jared W. Robinson wrote:
Here's my notes on getting Apache & TWiki to run under SELinux. Basically, I think most people will want to turn SELinux off for apache, but it's not easy without turning it off for the other targeted services too.
First, I wanted to disable SELinux for just Apache, which is supposed to be possible. I ran "system-config-securitylevel", selected the "SELinux" tab, and opened the "transition" list, and selected "Disable Selinux protection for httpd daemon", , clicked "ok", then restarted httpd. Unfortunately, this didn't work.
What didn't work? What went wrong? Do you have any AVC Messages?
Second, I stopped enforcing SELinux policy, and noticed that TWiki ran just fine. I'd recommend that people get their cgi scripts running correctly without SELinux before trying to troubleshoot further.
Third, I started enforcing SELinux policy again, and I made sure I set the types appropriately for the cgi scripts and for the files the scripts read/write to using chcon -t httpd_user_script_exec_t <cgi_scripts> chcon -t httpd_sys_content_t <content files and directories>
You might want to change this to chcon -t httpd_sys_script_rw_t <content files and directories> Which would eliminate a lot of AVC messages from below.
httpd_sys_content_t should only be for static content.
I also used "system-config-securitylevel" and enabled some of the options for Apache -- the unification of types to httpd_sys_content_t, allowing of cgi scripts.
Fourth, I watched /var/log/messages for "avc: denied" messages, and used audit2allow to generate rules: $ cd /etc/selinux/targeted/src/policy $ audit2allow -d -l -o domains/misc/local.te $ vi domains/misc/local.te $ make reload $ service httpd restart And I repeated this process several times, merging the appropriate new rules from audit2allow into my original local.te file.
Here's my local.te file that seems to work so far: allow httpd_sys_script_t sysctl_kernel_t:dir { search }; allow httpd_sys_script_t sysctl_kernel_t:file { read }; allow httpd_sys_script_t sysctl_t:dir { search };
What is asking for these?
allow httpd_sys_script_t tmp_t:lnk_file { read };
/usr/tmp?
allow httpd_sys_script_t httpd_sys_content_t:dir { read }; allow httpd_sys_script_t httpd_sys_content_t:file { append }; allow httpd_sys_script_t httpd_sys_content_t:dir { write }; allow httpd_sys_script_t httpd_sys_content_t:file { write }; allow httpd_sys_script_t httpd_sys_content_t:dir { add_name }; allow httpd_sys_script_t httpd_sys_content_t:file { create }; allow httpd_sys_script_t httpd_sys_content_t:file { setattr }; allow httpd_sys_script_t httpd_sys_content_t:dir { remove_name }; allow httpd_sys_script_t httpd_sys_content_t:file { rename }; allow httpd_sys_script_t httpd_sys_content_t:file { unlink };
Changing httpd_sys_content_t to httpd_sys_script_rw_t would fix most of these?
What is the settings of httpd_unified?
I found the following presentation to be quite helpful: http://web.verbum.org/selinux/linuxfest/img0.html http://web.verbum.org/selinux/linuxfest/text21.html (good slide)
And this was also helpful: http://people.redhat.com/walters/selinux-apache-en/index.html
In the end, I'm glad that turning of the targeted policy for httpd didn't work (using system-config-securitylevel). It forced me to learn more about SELinux (although I feel like I'm just beginning), and hopefully, my server is more secure than before.
- Jared
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list
On Thu, Nov 11, 2004 at 11:40:07AM -0500, Daniel J Walsh wrote:
Jared W. Robinson wrote:
First, I wanted to disable SELinux for just Apache, which is supposed to be possible. I ran "system-config-securitylevel", selected the "SELinux" tab, and opened the "transition" list, and selected "Disable Selinux protection for httpd daemon", , clicked "ok", then restarted httpd. Unfortunately, this didn't work.
What didn't work? What went wrong? Do you have any AVC Messages?
I'm assuming that when I selected to disable the protection for httpd, and I select "OK" on the dialog (in system-config-securitylevel), then httpd would run as if it weren't being restricted by SELinux anymore. But, I still got the same AVC denied messages as before I tried to disable it.
Third, I started enforcing SELinux policy again, and I made sure I set the types appropriately for the cgi scripts and for the files the scripts read/write to using chcon -t httpd_user_script_exec_t <cgi_scripts> chcon -t httpd_sys_content_t <content files and directories>
You might want to change this to chcon -t httpd_sys_script_rw_t <content files and directories> Which would eliminate a lot of AVC messages from below.
httpd_sys_content_t should only be for static content.
Thanks; I've now changed them.
Here's my local.te file that seems to work so far: allow httpd_sys_script_t sysctl_kernel_t:dir { search }; allow httpd_sys_script_t sysctl_kernel_t:file { read }; allow httpd_sys_script_t sysctl_t:dir { search };
What is asking for these?
Good question. I'm assuming that it's something from one of the TWiki cgi scripts.
allow httpd_sys_script_t tmp_t:lnk_file { read };
/usr/tmp?
Don't know. It might be nice if the AVC messages gave full paths -- but I guess SELinux works with objects, not paths, right?
allow httpd_sys_script_t httpd_sys_content_t:dir { read }; allow httpd_sys_script_t httpd_sys_content_t:file { append }; allow httpd_sys_script_t httpd_sys_content_t:dir { write }; allow httpd_sys_script_t httpd_sys_content_t:file { write }; allow httpd_sys_script_t httpd_sys_content_t:dir { add_name }; allow httpd_sys_script_t httpd_sys_content_t:file { create }; allow httpd_sys_script_t httpd_sys_content_t:file { setattr }; allow httpd_sys_script_t httpd_sys_content_t:dir { remove_name }; allow httpd_sys_script_t httpd_sys_content_t:file { rename }; allow httpd_sys_script_t httpd_sys_content_t:file { unlink };
Changing httpd_sys_content_t to httpd_sys_script_rw_t would fix most of these?
I tried that, and turned off httpd_unified (I think), and now I get this: Nov 11 10:56:08 myhost kernel: audit(1100195768.763:0): avc: denied { execute } for pid=24886 exe=/usr/sbin/httpd name=view dev=dm-1 ino=1329201 scontext=root:system_r:httpd_t tcontext=user_u:object_r:httpd_sys_content_t tclass=file
What should I do about that? The "view" cgi script has user_u:object_r:httpd_sys_script_exec_t as the type.
What is the settings of httpd_unified?
If httpd_unified correlates with the similiar named setting in system-config-securitylevel, then it is enabled (except when I turned it off for my test above).
I think I prefer to run with httpd_unified, and the local.te policy that I already have, simply because it works.
- Jared
selinux@lists.fedoraproject.org
-
Daniel J Walsh -
Jared W. Robinson