SELinux: home dir is symlink, httpd from files in home dir

Colin Walters walters at redhat.com
Thu Jan 20 02:48:30 UTC 2005 

On Thu, 2005-01-20 at 11:23 +1100, Nick Urbanik wrote:
> Dear Folks,
> 
> I'm totally new to SELinux, and am quite confused on a number of
> points.
> 
> I took the plunge and enabled SELinux on this FC3 box.
> Problem is with Apache. 

Have you read the Fedora Apache guide?

http://fedora.redhat.com/docs/selinux-apache-fc3/

It's slightly out of date but still informative, I think.

>  I have symlinks pointing to my home
> directory,

This will cause a number of problems.  Many programs are given the
permissions 'getattr' and 'search' on user_home_dir_t:dir, so they can
access the toplevel home directory but not necessarily anything
contained in it.  The ":dir" part here is important, as it means the
permissions are restricted to directories with that type; symlinks are
not allowed.

I wonder why you're symlinking into /opt, but assuming for now that's
what you have to do, one solution might be to use bind mounts instead of
symlinks:

rm /home/nicku
mkdir /home/nicku
mount -obind /opt/nicku /home/nicku

You can add the bind mount to /etc/fstab so it's done automatically.

Another (very hackish) approach might be to label the /home/nicku
symlink with a type such as usr_t; most domains have permission to read
usr_t:lnk_file (i.e. symlink).

That's about all I can think of, short of modifying the policy sources.

> 1. How do I solve my problem about httpd access to
>    /opt/nicku/work/teaching/ict/ossi securely?

I hope the above helps.

> 2. Where should I put my modifications to the policy?

If you choose to modify policy, the right solution I think is to label
the /home/nicku symlink with the type user_home_dir_t, and add the
permissions like:

allow <domain> user_home_dir_type:lnk_file { getattr read };

Substitute particular domains such as httpd_t for <domain>.

When I modify policy, I tend to put my modifications in a local.te file.

> 3. What attribute should I give to the symlink /home/nicku?

user_home_dir_t.

> /etc/selinux/targeted/src/policy/file_contexts/misc/nicks-opt.fc:
> 
> /opt/lost\+found(/.*)?  system_u:object_r:lost_found_t
> /opt/nicku      -d      system_u:object_r:user_home_dir_t
> /opt/nicku/.+           system_u:object_r:user_home_t
> /opt/ogg(/.*)?                system_u:object_r:default_t
> /opt/pub(/.*)?                system_u:object_r:default_t

Hmm; using the default_t type seems a bit wrong, but I can't think
offhand of something better.

> /opt/nicku/public_htm(/.*)?  system_u:object_r:httpd_user_content_t

Right.

> THIS IS CERTAINLY IN THE WRONG PLACE?  WHERE SHOULD IT GO?

No, that's fine.

> cat /etc/selinux/targeted/src/policy/domains/program/apache-nicks-opt-extra.te

Reasonable, although I like using a well-commented local.te personally.

> # to give access to /home/nicku:
> # This looks BAD by removing SELinux protection of all symlinks:
> allow httpd_t default_t:lnk_file { getattr read };

It doesn't remove protection of all symlinks, but it does mean that
Apache can read symlinks that aren't assigned a label by the
file_contexts regexps (i.e. are given the default_t type).  Given that
you're using default_t for a lot of data, I wouldn't recommend this
permission.

> # to give access to /opt/pub:
> allow httpd_t var_t:lnk_file { getattr read };

I'd use bind mounts instead of permissions like this, personally.  But
this one probably isn't too harmful.

> # to give access to /opt/nicku/{photos,work/{ossi,snm}}
> allow httpd_t user_home_t:lnk_file { getattr read };

This is bad; the data should be labeled as httpd_user_content_t.

> make reload complained till I touched this file:
> 
> ls -l /etc/selinux/targeted/src/policy/file_contexts/program/apache-nicks-opt-extra.fc
> -rw-r--r--  1 root root 0 Jan 20 07:51
> /etc/selinux/targeted/src/policy/file_contexts/program/apache-nicks-opt-extra.fc

Yeah; use misc/local.te instead, or the like.  te files in program
require a corresponding .fc file to be enabled.

> What should I do to enable httpd access to /ossi?
> 
> Here's what SELinux says:
> 
> Jan 20 10:53:20 nicku kernel: audit(1106178800.510:0): avc:  denied  { search } for  pid=6133 exe=/usr/sbin/httpd name=work dev=sda1 ino=5620038 scontext=user_u:system_r:httpd_t tcontext=system_u:object_r:user_home_t tclass=dir
> Jan 20 10:53:20 nicku kernel: audit(1106178800.510:0): avc:  denied  { getattr } for  pid=6133 exe=/usr/sbin/httpd path=/opt/nicku/work dev=sda1 ino=5620038 scontext=user_u:system_r:httpd_t tcontext=system_u:object_r:user_home_t tclass=dir

Any data you want httpd to access needs to be one of the types outlined
in the Fedora Apache/SELinux guide, such as httpd_user_content_t.

More information about the selinux mailing list