Big brother and httpd

Tom Diehl tdiehl at rogueind.com
Mon Jun 27 13:23:30 UTC 2005 

On Mon, 27 Jun 2005, Russell Coker wrote:

> On Sunday 26 June 2005 22:42, Tom Diehl <tdiehl at rogueind.com> wrote:
> > > Can you check and make sure /home/bb/bb/www is marked
> > > httpd_*_content_t, and not user_home_t...
> >
> > (pocono pts16) # la -Z /home/bb/bb/www
> > drwxr-xr-x  bb       bb       root:object_r:httpd_sys_content_t .
> > drwxr-xr-x  bb       bb       root:object_r:user_home_t        ..
> [...]
> > The bb.html and bb2.html files are created every time bb polls the
> > machines (every 5 minutes). I have tried doing
> > chcon -t httpd_sys_content_t bb?.html on them but they always change back.
> 
> Those files are apparently created somewhere else, maybe /home/bb/bb?  Maybe 
> if you run your chcon -R operation on /home/bb the results will be better.

The whole bb structure lives inside of /home/bb/bb so I just tried chcon -R on
it and no joy. selinux will not even allow bb to start. here are a few of the
avc messages:

Jun 27 09:05:18 pocono kernel: audit(1119877518.646:0): avc:  denied  { read write } for  pid=6955 comm=runbb.sh name=13 dev=devpts ino=15 scontext=user_u:system_r:httpd_sys_script_t tcontext=root:object_r:devpts_t tclass=chr_file
Jun 27 09:05:18 pocono kernel: audit(1119877518.646:0): avc:  denied  { read write } for  pid=6955 comm=runbb.sh path=/dev/pts/13 dev=devpts ino=15 scontext=user_u:system_r:httpd_sys_script_t tcontext=root:object_r:devpts_t tclass=chr_file
Jun 27 09:05:18 pocono last message repeated 2 times
Jun 27 09:05:18 pocono kernel: audit(1119877518.722:0): avc:  denied  { execute_no_trans } for  pid=7010 comm=nohup path=/home/bb/bbc1.9f-btf/bin/bbrun dev=dm-1 ino=6407895 scontext=user_u:system_r:httpd_sys_script_t tcontext=root:object_r:httpd_sys_content_t tclass=file
Jun 27 09:05:21 pocono kernel: audit(1119877521.644:0): avc:  denied  { read write } for  pid=7012 comm=runbb.sh name=13 dev=devpts ino=15 scontext=user_u:system_r:httpd_sys_script_t tcontext=root:object_r:devpts_t tclass=chr_file
Jun 27 09:05:21 pocono kernel: audit(1119877521.644:0): avc:  denied  { read write } for  pid=7012 comm=runbb.sh path=/dev/pts/13 dev=devpts ino=15 scontext=user_u:system_r:httpd_sys_script_t tcontext=root:object_r:devpts_t tclass=chr_file
Jun 27 09:05:21 pocono last message repeated 2 times
Jun 27 09:05:21 pocono kernel: audit(1119877521.716:0): avc:  denied  { execute_no_trans } for  pid=7064 comm=runbb.sh path=/home/bb/bb1.9f-btf/bin/bbd dev=dm-1 ino=6407874 scontext=user_u:system_r:httpd_sys_script_t tcontext=root:object_r:httpd_sys_content_t tclass=file
Jun 27 09:05:26 pocono kernel: audit(1119877526.722:0): avc:  denied  { getattr } for  pid=7067 comm=ps path=/proc/1 dev=proc ino=65538 scontext=user_u:system_r:httpd_sys_script_t tcontext=user_u:system_r:unconfined_t tclass=dir
Jun 27 09:05:26 pocono kernel: audit(1119877526.722:0): avc:  denied  { getattr } for  pid=7067 comm=ps path=/proc/2 dev=proc ino=131074 scontext=user_u:system_r:httpd_sys_script_t tcontext=user_u:system_r:unconfined_t tclass=dir
Jun 27 09:05:26 pocono kernel: audit(1119877526.722:0): avc:  denied  { getattr } for  pid=7067 comm=ps path=/proc/3 dev=proc ino=196610 scontext=user_u:system_r:httpd_sys_script_t tcontext=user_u:system_r:unconfined_t tclass=dir
...

> A change to bb might help.  You could either have it create the files in an 
> appropriate directory that has the desired label or have it chcon them after 
> creation (but before moving).  How is the bb program run?  Is it a daemon or 
> a cron job?

daemon. It has a master daemon that that calls the helper programs and shell
scripts periodically to poll the systems and generate the web pages.

> There has been some work on getting NAGIOS running under SE Linux.  It seems 
> that NAGIOS is the leading product in this area.

I agree except that IMO the user interface for bb is so much nicer for
non-technical people to grok (green is good, red is bad, etc.). The real
problem with bb is that it was bought out by Quest software several years ago
and development on the free version has all but stopped. They only provide minor
fixes for it approx once a year.

Regards,

Tom Diehl		tdiehl at rogueind.com		Spamtrap address mtd123 at rogueind.com

More information about the selinux mailing list