SELinux: home dir is symlink, httpd from files in home dir
Colin Walters
walters at redhat.com
Thu Jan 20 02:48:30 UTC 2005
On Thu, 2005-01-20 at 11:23 +1100, Nick Urbanik wrote:
> Dear Folks,
>
> I'm totally new to SELinux, and am quite confused on a number of
> points.
>
> I took the plunge and enabled SELinux on this FC3 box.
> Problem is with Apache.
Have you read the Fedora Apache guide?
http://fedora.redhat.com/docs/selinux-apache-fc3/
It's slightly out of date but still informative, I think.
> I have symlinks pointing to my home
> directory,
This will cause a number of problems. Many programs are given the
permissions 'getattr' and 'search' on user_home_dir_t:dir, so they can
access the toplevel home directory but not necessarily anything
contained in it. The ":dir" part here is important, as it means the
permissions are restricted to directories with that type; symlinks are
not allowed.
I wonder why you're symlinking into /opt, but assuming for now that's
what you have to do, one solution might be to use bind mounts instead of
symlinks:
rm /home/nicku
mkdir /home/nicku
mount -obind /opt/nicku /home/nicku
You can add the bind mount to /etc/fstab so it's done automatically.
Another (very hackish) approach might be to label the /home/nicku
symlink with a type such as usr_t; most domains have permission to read
usr_t:lnk_file (i.e. symlink).
That's about all I can think of, short of modifying the policy sources.
> 1. How do I solve my problem about httpd access to
> /opt/nicku/work/teaching/ict/ossi securely?
I hope the above helps.
> 2. Where should I put my modifications to the policy?
If you choose to modify policy, the right solution I think is to label
the /home/nicku symlink with the type user_home_dir_t, and add the
permissions like:
allow <domain> user_home_dir_type:lnk_file { getattr read };
Substitute particular domains such as httpd_t for <domain>.
When I modify policy, I tend to put my modifications in a local.te file.
> 3. What attribute should I give to the symlink /home/nicku?
user_home_dir_t.
> /etc/selinux/targeted/src/policy/file_contexts/misc/nicks-opt.fc:
>
> /opt/lost\+found(/.*)? system_u:object_r:lost_found_t
> /opt/nicku -d system_u:object_r:user_home_dir_t
> /opt/nicku/.+ system_u:object_r:user_home_t
> /opt/ogg(/.*)? system_u:object_r:default_t
> /opt/pub(/.*)? system_u:object_r:default_t
Hmm; using the default_t type seems a bit wrong, but I can't think
offhand of something better.
> /opt/nicku/public_htm(/.*)? system_u:object_r:httpd_user_content_t
Right.
> THIS IS CERTAINLY IN THE WRONG PLACE? WHERE SHOULD IT GO?
No, that's fine.
> cat /etc/selinux/targeted/src/policy/domains/program/apache-nicks-opt-extra.te
Reasonable, although I like using a well-commented local.te personally.
> # to give access to /home/nicku:
> # This looks BAD by removing SELinux protection of all symlinks:
> allow httpd_t default_t:lnk_file { getattr read };
It doesn't remove protection of all symlinks, but it does mean that
Apache can read symlinks that aren't assigned a label by the
file_contexts regexps (i.e. are given the default_t type). Given that
you're using default_t for a lot of data, I wouldn't recommend this
permission.
> # to give access to /opt/pub:
> allow httpd_t var_t:lnk_file { getattr read };
I'd use bind mounts instead of permissions like this, personally. But
this one probably isn't too harmful.
> # to give access to /opt/nicku/{photos,work/{ossi,snm}}
> allow httpd_t user_home_t:lnk_file { getattr read };
This is bad; the data should be labeled as httpd_user_content_t.
> make reload complained till I touched this file:
>
> ls -l /etc/selinux/targeted/src/policy/file_contexts/program/apache-nicks-opt-extra.fc
> -rw-r--r-- 1 root root 0 Jan 20 07:51
> /etc/selinux/targeted/src/policy/file_contexts/program/apache-nicks-opt-extra.fc
Yeah; use misc/local.te instead, or the like. te files in program
require a corresponding .fc file to be enabled.
> What should I do to enable httpd access to /ossi?
>
> Here's what SELinux says:
>
> Jan 20 10:53:20 nicku kernel: audit(1106178800.510:0): avc: denied { search } for pid=6133 exe=/usr/sbin/httpd name=work dev=sda1 ino=5620038 scontext=user_u:system_r:httpd_t tcontext=system_u:object_r:user_home_t tclass=dir
> Jan 20 10:53:20 nicku kernel: audit(1106178800.510:0): avc: denied { getattr } for pid=6133 exe=/usr/sbin/httpd path=/opt/nicku/work dev=sda1 ino=5620038 scontext=user_u:system_r:httpd_t tcontext=system_u:object_r:user_home_t tclass=dir
Any data you want httpd to access needs to be one of the types outlined
in the Fedora Apache/SELinux guide, such as httpd_user_content_t.
More information about the selinux
mailing list