Looking for SELinux advice regarding samba, apache
Dominick Grift
domg472 at gmail.com
Sun Mar 21 17:17:51 UTC 2010
On Sun, Mar 21, 2010 at 08:21:02AM -0800, Toby Ovod-Everett wrote:
Here are some things to take into consideration:
1. For the perspective of SELinux we do not have to do anything to give users access since in a vanilla Fedora 12
configuration users are unconfined (exempted for SELinux).
2. We can give Samba access to read and write any content by setting boolean samba_export_all_rw true.
This means that we only have to take care of http.
Using the samba_export_all_rw boolean is essential i believe to meet your exotic requirements.
> There are three major directory trees that impact the photo system:
>
> /data/photos - contains the actual digital images in /data/photos/images and
> the information about them in /data/photos/info. Context from / is:
>
> dr-xr-xr-x. root root system_u:object_r:root_t:s0 .
> drwxr-xr-x. root root system_u:object_r:public_content_rw_t:s0 data
> drwxrwsr-x. root photos system_u:object_r:public_content_rw_t:s0 photos
>
> /data/photos needs to be r/w for my user account (which is a member of photos)
As said above by default users are unconfined wrt SELinux in a stock Fedora 12 config thus no need to do anything here.
> and readable for apache. I generally access /data/photos through Samba from
> my user machine which runs (gasp) Windows 7.
You should probably label data and everything below data type httpd_sys_content_t. httpd is allowed to read that type.
>
>
> /var/www/cgi-bin/photos - contains the Perl scripts that implement the web
> frontend for viewing the photos (loading photos is all done from the Command
> Line). I have httpd_enable_cgi=>on in order to support this. Context is
> unchanged from default configs. Desire r/w access through Samba from my user
> machine for editing the scripts using Notepad++.
Leave this as is. Apache can run scripts labeled httpd_sys_script_exec_t in the httpd_sys_script_t domain. Samba can read and write any content if samba_export_all_rw is set.
The use of the samba_export_all_rw boolean is discouraged since obviously samba will be able to write almost any file.
However you do not have much choice unless you modify policy in a major way.
I would probably use openssh to edit these scripts.
>
> /var/www/html/thumbnails - contains directories of thumbnails for the photos.
> These are persistently cached in this tree and automatically generated or
> updated as required by the Perl scripts above when required. This data
> doesn't have to persist across rebuilds. There are different subdirectories
> for the different supported thumbnail sizes and each subdir and needs to be
> r/w for apache. Context from / is:
> dr-xr-xr-x. root root system_u:object_r:root_t:s0 .
> drwxr-xr-x. root root system_u:object_r:var_t:s0 var
> drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 www
> drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 html
> drwxrwsr-x. root root unconfined_u:object_r:httpd_sys_content_t:s0 thumbnails
> drwxrwsr-x. root apache unconfined_u:object_r:public_content_rw_t:s0 180x180
If your perl webscript needs to create files in exisiting sub directories in tumbnails/ Then i would label these sub directories type httpd_sys_content_rw_t and set httpd_anon_write to true.
Samba will be able to read and write to these files and types since the samba_export_all_rw allows samba to read and write almost any type.
>
> One of the main issues is that I need Samba to have r/w to a bunch of the
> trees that apache needs access to. Current Samba SELinux config is
> samba_enable_home_dirs=>on, allow_smbd_anon_write=>on,
> samba_export_all_rw=>on. I'd like to be able to pull the latter eventually,
> but then I need to be able to figure out how to give Samba r/w access to the
> cgi-bin directory.
If you set samba_export_all_rw to true then you do not need the public_content_(rw)_types. Since samba will be albe to read and write almost any file and type. In that case i believe you can set allow_samba_anon_write to false.
>
> Now on to the "what broke" question. Somewhere in the last two months (it'si
> been a while since I've added photos), I lost the ability to use Samba to
> access /data/photos. Generally I access it through a symlink in my homedir:
> lrwxrwxrwx. 1 toby toby 12 2008-11-28 15:05 photos -> /data/photos
>
> This has stopped working. Things I tried:
> * Verifying symlinks. I have Mail -> mail in my homedir and that still works.
> * Verifying SELinux settings conform to above model.
> * Creating a separate share for /data/photos. This worked.
If this is at all SELinux related ( see if it works in permissive mode to rule in or rule out SELinux) then it would
help if you enclose an AVC denial. Some denials are hidden use semodule -DB to expose hidden denials and semodule -B to go back to the original state.
> I Obviously have a workaround now, but as a solution it's annoying, because it
> requires me to create separate shares for all of the things I want to access
> from my Windows machine (/data/photos, /var/www/cgi-bin/photos, and
> /var/www/html/public_html/toby) and then map to them all separately on my
> Windows machine on separate drive letters, instead of having a single share
> that accesses everything.
>
> I'm beginning to suspect the problem is Samba, not SELinux, because my
> attempts at using semodule -DB and ausearch (both avc and user_avc) don't turn
> up any events that correlate with attempts to access those directories through
> the symlinks. At this point, I'm beginning to suspect a fix in Samba 3.4.6 or
> 3.4.7 related to the "Samba Remote Directory Traversal" exploit that was
> announced in early February, but I'm hitting my patience limit (my 3 year old
> is ready for breakfast), so I'm going to stop writing and go with my
> workaround for now. But if anyone has advice, please offer!
I would probably attempt to implement a solution that does not require samba_export_all_rw to be set true since that
is very coarse.
However with your requirements this is the only simple way.
I would probably use openssh where ever possible. that may be just enough to be able to set samba_export_all_rw to false.
Another solution would be to perform serious surgery to fedora policy. You would create special types and a special web app domain and give both apache and samba the permissions required.
>
> --Toby Ovod-Everett
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20100321/db43dc28/attachment.bin
More information about the selinux
mailing list