Hi,
I'm trying to allow apache to read a user folder as follows:
% semanage fcontext -a -t httpd_t "/home/zopeuser/data(/.*)?"
However I still get:
May 9 13:42:38 my_host kernel: audit(1178710958.544:17691): avc: denied { search } for pid=4103 comm="httpd" name="data" dev=hda4 ino=2121605 scontext=user_u:system_r:httpd_t:s0 tcontext=user_u:object_r:user_home_t:s0 tclass=dir
This is what semanage reports: & semanage fcontext -l | grep zope /home/zopeuser/data(/.*)? all files system_u:object_r:httpd_t:s0
I know you can do that with audit2allow by generating modules from the error messages. Indeed I cached four errors, generated four modules, then finally I combined them in to this:
---> zopefull.te module zopefull 1.0;
require { type httpd_t; type user_home_t; class file read; class file getattr; class lnk_file read; class dir search; }
#============= httpd_t ============== allow httpd_t user_home_t:file read; allow httpd_t user_home_t:file getattr; allow httpd_t user_home_t:lnk_file read; allow httpd_t user_home_t:dir search; <--- zopefull.te
Which I indeed worked; however, I think it is a complicated and long way, and it does much more than what I want; in fact this gives access to all user folders to httpd and not just to the desired one. Is possible to do this with semanage? By the way, I'm using Fedora Core 6 without X and kernel 2.6.20-1.2948.
Best regards Josef Meile
On 2007-05-09, Josef Meile jmeile@hotmail.com wrote:
I'm trying to allow apache to read a user folder as follows:
% semanage fcontext -a -t httpd_t "/home/zopeuser/data(/.*)?"
semanage doesn't update the labels of existing files. So you'll need to run "restorecon -R /home/zopeuser/data" before this will work.
-jf
Hi Jan
I'm trying to allow apache to read a user folder as follows:
% semanage fcontext -a -t httpd_t "/home/zopeuser/data(/.*)?"
semanage doesn't update the labels of existing files. So you'll need to run "restorecon -R /home/zopeuser/data" before this will work.
I did what you suggested; however lots of messages like this appeared:
restorecon set context /home/zopeuser/data/certs/demoCA/certs->system_u:object_r:httpd_t:s0 failed:'Permission denied'
Then I tried: fixfiles restore
But again I got lots of errors like this:
/sbin/setfiles: unable to relabel /home/zopeuser/data/certs/demoCA to system_u:object_r:httpd_t:s0 /home/zopeuser/data/certs/demoCA/crl: Permission denied
Even this doesn't works: % touch /.autorelabel % reboot
But this is I got in the message log after rebooting:
May 9 22:16:39 my_host kernel: audit(1178741787.823:58): avc: denied { relabelto } for pid=1368 comm="setfiles" name="data" dev=hda4 ino=2121605 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:httpd_t:s0 tclass=dir May 9 22:16:39 my_host kernel: audit(1178741787.823:59): avc: denied { associate } for pid=1368 comm="setfiles" name="data" dev=hda4 ino=2121605 scontext=system_u:object_r:httpd_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem May 9 22:16:39 my_host kernel: audit(1178741787.834:60): avc: denied { read } for pid=1368 comm="setfiles" name="data" dev=hda4 ino=2121605 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:httpd_t:s0 tclass=dir May 9 22:16:39 my_host kernel: audit(1178741787.834:61): avc: denied { search } for pid=1368 comm="setfiles" name="data" dev=hda4 ino=2121605 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:httpd_t:s0 tclass=dir
Till here I don't know what to do. Unfortunately must documentation I found talk about using the "Security Level and Firewall" menu entry from Gnome, but I don't have X nor I want to install it.
Thanks for the reply anyway.
On Wed, 2007-05-09 at 22:09 +0200, Josef Meile wrote:
Hi Jan
I'm trying to allow apache to read a user folder as follows:
% semanage fcontext -a -t httpd_t "/home/zopeuser/data(/.*)?"
semanage doesn't update the labels of existing files. So you'll need to run "restorecon -R /home/zopeuser/data" before this will work.
I did what you suggested; however lots of messages like this appeared:
restorecon set context /home/zopeuser/data/certs/demoCA/certs->system_u:object_r:httpd_t:s0 failed:'Permission denied'
Then I tried: fixfiles restore
But again I got lots of errors like this:
/sbin/setfiles: unable to relabel /home/zopeuser/data/certs/demoCA to system_u:object_r:httpd_t:s0 /home/zopeuser/data/certs/demoCA/crl: Permission denied
Even this doesn't works: % touch /.autorelabel % reboot
But this is I got in the message log after rebooting:
May 9 22:16:39 my_host kernel: audit(1178741787.823:58): avc: denied { relabelto } for pid=1368 comm="setfiles" name="data" dev=hda4 ino=2121605 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:httpd_t:s0 tclass=dir May 9 22:16:39 my_host kernel: audit(1178741787.823:59): avc: denied { associate } for pid=1368 comm="setfiles" name="data" dev=hda4 ino=2121605 scontext=system_u:object_r:httpd_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem May 9 22:16:39 my_host kernel: audit(1178741787.834:60): avc: denied { read } for pid=1368 comm="setfiles" name="data" dev=hda4 ino=2121605 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:httpd_t:s0 tclass=dir May 9 22:16:39 my_host kernel: audit(1178741787.834:61): avc: denied { search } for pid=1368 comm="setfiles" name="data" dev=hda4 ino=2121605 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:httpd_t:s0 tclass=dir
httpd_t is a domain for a process, not a type for a file. You shouldn't be trying to label a file with it.
Hi Stephen
httpd_t is a domain for a process, not a type for a file. You shouldn't be trying to label a file with it.
Ok, then is httpd_sys_content_t the right one? I solve it as follows:
semanage fcontext -a -t httpd_t "/home/zopeuser/data(/.*)?" chcon -R -t httpd_sys_content_t /home/zopeuser/data
It works now, but is it the correct way?
Regards Josef
On 2007-05-09, Josef Meile jmeile@hotmail.com wrote:
Ok, then is httpd_sys_content_t the right one? I solve it as follows:
semanage fcontext -a -t httpd_t "/home/zopeuser/data(/.*)?" chcon -R -t httpd_sys_content_t /home/zopeuser/data
The semanage command should have set httpd_sys_content_t, not httpd_t.
semanage fcontext -a -t httpd_sys_content_t "/home/zopeuser/data(/.*)?" restorecon -R /home/zopeuser/data
... I guess the restorecon will fail on a few symlinks again, but get the rest right. I'd prefer restorecon over "chcon -t" just to make sure the labeling rules are right, and woun't get wrong if you ever do a full "touch /.autorelabel".
-jf
The semanage command should have set httpd_sys_content_t, not httpd_t.
semanage fcontext -a -t httpd_sys_content_t "/home/zopeuser/data(/.*)?" restorecon -R /home/zopeuser/data
... I guess the restorecon will fail on a few symlinks again, but get the rest right. I'd prefer restorecon over "chcon -t" just to make sure the labeling rules are right, and woun't get wrong if you ever do a full "touch /.autorelabel".
Yup, that works too. Thanks
Josef
Ok, then is httpd_sys_content_t the right one? I solve it as follows:
semanage fcontext -a -t httpd_t "/home/zopeuser/data(/.*)?" chcon -R -t httpd_sys_content_t /home/zopeuser/data
It works now, but is it the correct way?
A small correction there. It should be semanage fcontext -a -t httpd_t "/home/zopeuser/data(/.*)?" chcon -R -t httpd_sys_content_t /home/zopeuser
If you don't give access to the user's root directory, then apache will still fail.
On Wed, 2007-05-09 at 23:16 +0200, Josef Meile wrote:
Ok, then is httpd_sys_content_t the right one? I solve it as follows:
semanage fcontext -a -t httpd_t "/home/zopeuser/data(/.*)?" chcon -R -t httpd_sys_content_t /home/zopeuser/data
It works now, but is it the correct way?
A small correction there. It should be semanage fcontext -a -t httpd_t "/home/zopeuser/data(/.*)?" chcon -R -t httpd_sys_content_t /home/zopeuser
If you don't give access to the user's root directory, then apache will still fail.
The semanage command should also use httpd_sys_content_t, and you should run restorecon -R /home/zopeuser/data after the semanage command rather than using chcon. semanage adds the entry to the system's file_contexts.local mapping, and restorecon then consults the system's file contexts files to determine the right context to apply.
Do you really want to allow apache to fully access the user's home directory? If you just want to allow search access so that it can traverse the user home directory to reach the data subdirectory, there should be a boolean (httpd_enable_homedirs) that you can enable.
Hi Stephen
Ok, then is httpd_sys_content_t the right one? I solve it as follows:
semanage fcontext -a -t httpd_t "/home/zopeuser/data(/.*)?" chcon -R -t httpd_sys_content_t /home/zopeuser/data
It works now, but is it the correct way?
A small correction there. It should be semanage fcontext -a -t httpd_t "/home/zopeuser/data(/.*)?" chcon -R -t httpd_sys_content_t /home/zopeuser
If you don't give access to the user's root directory, then apache will still fail.
The semanage command should also use httpd_sys_content_t, and you should run restorecon -R /home/zopeuser/data after the semanage command rather than using chcon. semanage adds the entry to the system's file_contexts.local mapping, and restorecon then consults the system's file contexts files to determine the right context to apply.
Yes, you are right. That's what Jan-Frode Myklebust point me on a previous post and that's what I finally did. It is working now.
Do you really want to allow apache to fully access the user's home directory?
No, I don't. Finally I gave apache access to the /home/zopeuser folder and full access to the /home/zopeuser/data as follows:
#Apache will be able to access the folder but not the files inside it semanage fcontext -a -f -d -t httpd_sys_content_t "/home/zopeuser"
#Apache will be able to access all this folder, its files and subfolders semanage fcontext -a -t httpd_sys_content_t "/home/zopeuser/data(/.*)?"
#apply changes restorecon -R /home/zopeuser
If you just want to allow search access so that it can traverse the user home directory to reach the data subdirectory, there should be a boolean (httpd_enable_homedirs) that you can enable.
I'm aware of that boolean and it seems to be the simplest solution; however, I have other user folders, which I don't want apache accesses, so, I opted to the semanage alternative.
Thanks and have a nice day Josef
selinux@lists.fedoraproject.org