12:18 a.m.
I am trying to get Netjuke (http://www.netjuke.org/) working on FC3 with
SELinux enabled. Netjuke is a PHP-based "jukebox" application, and I
use it to stream Ogg Vorbis music files around my house. The music
files live on several separate reiserfs filesystems, which have no
security contexts at all. (These filesystems are mounted under /mnt and
symlinked into the /var/www/html tree, if it makes any difference.)
I've read through the FC3 SELinux FAQ and the man pages for setfiles,
fixfiles, and restorecon, and I've even tried playing with the options
that look nondestructive, but none the tools find anything wrong with
the current setup. What do I need to do to make these files readable
by the httpd server?
Thanks!
--
========================================================================
Ian Pilcher i.pilcher(a)comcast.net
========================================================================
6:37 a.m.
Ian Pilcher wrote:
I am trying to get Netjuke (http://www.netjuke.org/) working on FC3
with
SELinux enabled. Netjuke is a PHP-based "jukebox" application, and I
use it to stream Ogg Vorbis music files around my house. The music
files live on several separate reiserfs filesystems, which have no
security contexts at all. (These filesystems are mounted under /mnt and
symlinked into the /var/www/html tree, if it makes any difference.)
I've read through the FC3 SELinux FAQ and the man pages for setfiles,
fixfiles, and restorecon, and I've even tried playing with the options
that look nondestructive, but none the tools find anything wrong with
the current setup. What do I need to do to make these files readable
by the httpd server?
Thanks!
Look for AVC Messages in the /var/log/messages file.
You can run audit2allow -l -i /var/log/messages
They you can customize policy to allow these.
11:32 a.m.
Daniel J Walsh wrote:
Look for AVC Messages in the /var/log/messages file.
I should have posted those before. Here is an example of what happens
when httpd tries to access the reiserfs filesystem:
Nov 11 23:33:38 home kernel: audit(1100237618.326:0): avc: denied {
search } for pid=9106 exe=/usr/sbin/httpd dev=md5 ino=2
scontext=root:system_r:httpd_t tcontext=system_u:object_r:nfs_t tclass=dir
Nov 11 23:33:38 home kernel: audit(1100237618.326:0): avc: denied {
getattr } for pid=9106 exe=/usr/sbin/httpd path=/mnt/music1 dev=md5
ino=2 scontext=root:system_r:httpd_t tcontext=system_u:object_r:nfs_t
tclass=dir
You can run audit2allow -l -i /var/log/messages
Here's what audit2allow says about it:
allow httpd_t bin_t:lnk_file { read };
allow httpd_t nfs_t:dir { getattr search };
allow httpd_t user_home_t:file { getattr read };
They you can customize policy to allow these.
To my *very* inexpert eye, it looks like audit2allow is telling me to
loosen the restrictions on httpd. I suppose that this is an option (as
turning SELinux off entirely for httpd), but I really want to figure out
what contexts I need to add the the music filesystems to make them
accessible by httpd under the present policy.
Thanks!
--
========================================================================
Ian Pilcher i.pilcher(a)comcast.net
========================================================================
11:41 a.m.
On Fri, 2004-11-12 at 11:32 -0600, Ian Pilcher wrote:
Daniel J Walsh wrote:
> Look for AVC Messages in the /var/log/messages file.
I should have posted those before. Here is an example of what happens
when httpd tries to access the reiserfs filesystem:
Nov 11 23:33:38 home kernel: audit(1100237618.326:0): avc: denied {
search } for pid=9106 exe=/usr/sbin/httpd dev=md5 ino=2
scontext=root:system_r:httpd_t tcontext=system_u:object_r:nfs_t tclass=dir
One approach is to mount the filesystem with the httpd_sys_content_t
type, like this:
mount -o remount,fscontext=system_u:object_r:httpd_sys_content_t /path/to/your/reiserfs
Another is to give httpd_t access to nfs_t, like this:
r_dir_file(httpd_t, nfs_t)
12:21 p.m.
Colin Walters wrote:
One approach is to mount the filesystem with the httpd_sys_content_t
type, like this:
mount -o remount,fscontext=system_u:object_r:httpd_sys_content_t /path/to/your/reiserfs
So much for printing /etc/fstab in portrait mode!
Works like a charm. Thanks!
--
========================================================================
Ian Pilcher i.pilcher(a)comcast.net
========================================================================
12:07 p.m.
Ian Pilcher wrote:
Daniel J Walsh wrote:
> Look for AVC Messages in the /var/log/messages file.
I should have posted those before. Here is an example of what happens
when httpd tries to access the reiserfs filesystem:
Nov 11 23:33:38 home kernel: audit(1100237618.326:0): avc: denied {
search } for pid=9106 exe=/usr/sbin/httpd dev=md5 ino=2
scontext=root:system_r:httpd_t tcontext=system_u:object_r:nfs_t
tclass=dir
Nov 11 23:33:38 home kernel: audit(1100237618.326:0): avc: denied {
getattr } for pid=9106 exe=/usr/sbin/httpd path=/mnt/music1 dev=md5
ino=2 scontext=root:system_r:httpd_t tcontext=system_u:object_r:nfs_t
tclass=dir
> You can run audit2allow -l -i /var/log/messages
Here's what audit2allow says about it:
allow httpd_t bin_t:lnk_file { read };
allow httpd_t nfs_t:dir { getattr search };
allow httpd_t user_home_t:file { getattr read };
> They you can customize policy to allow these.
To my *very* inexpert eye, it looks like audit2allow is telling me to
loosen the restrictions on httpd. I suppose that this is an option (as
turning SELinux off entirely for httpd), but I really want to figure out
what contexts I need to add the the music filesystems to make them
accessible by httpd under the present policy.
Thanks!
Try the policy on ftp://people.redhat.com/dwalsh/SELinux/ FC3
selinux-policy-targeted-1.17.30-2.23
This is a preview of the one that will be in update 1. It has allow
rules for the NFS partition.
Dan
12:24 p.m.
Daniel J Walsh wrote:
Try the policy on ftp://people.redhat.com/dwalsh/SELinux/ FC3
Thanks for your responses. I have modified my /etc/fstab, as suggested
by Colin Walters to mount my reiserfs filesystems with the
httpd_sys_content_t type. It seems to be working, and I believe that
it does what I want to do -- mark these filesystems as data intended to
be served by Apache.
Thanks!
--
========================================================================
Ian Pilcher i.pilcher(a)comcast.net
========================================================================
7098
days inactive
7098
days old
selinux@lists.fedoraproject.org
6 comments
3 participants
participants (3)
-
Colin Walters -
Daniel J Walsh -
Ian Pilcher