Looking for SELinux advice regarding samba, apache

Dominick Grift domg472 at gmail.com
Sun Mar 21 17:17:51 UTC 2010 

On Sun, Mar 21, 2010 at 08:21:02AM -0800, Toby Ovod-Everett wrote:

Here are some things to take into consideration:

1. For the perspective of SELinux we do not have to do anything to give users access since in a vanilla Fedora 12
configuration users are unconfined (exempted for SELinux). 

2. We can give Samba access to read and write any content by setting boolean samba_export_all_rw true.

This means that we only have to take care of http.

Using the samba_export_all_rw boolean is essential i believe to meet your exotic requirements.

> There are three major directory trees that impact the photo system:
> 
> /data/photos - contains the actual digital images in /data/photos/images and
> the information about them in /data/photos/info.  Context from / is:
> 
> dr-xr-xr-x. root root system_u:object_r:root_t:s0      .
> drwxr-xr-x. root root system_u:object_r:public_content_rw_t:s0 data
> drwxrwsr-x. root photos system_u:object_r:public_content_rw_t:s0 photos
> 
> /data/photos needs to be r/w for my user account (which is a member of photos)

As said above by default users are unconfined wrt SELinux in a stock Fedora 12 config thus no need to do anything here.

> and readable for apache.  I generally access /data/photos through Samba from
> my user machine which runs (gasp) Windows 7.

You should probably label data and everything below data type httpd_sys_content_t. httpd is allowed to read that type.

> 
> 
> /var/www/cgi-bin/photos - contains the Perl scripts that implement the web
> frontend for viewing the photos (loading photos is all done from the Command
> Line).  I have httpd_enable_cgi=>on in order to support this.  Context is
> unchanged from default configs.  Desire r/w access through Samba from my user
> machine for editing the scripts using Notepad++.

Leave this as is. Apache can run scripts labeled httpd_sys_script_exec_t in the httpd_sys_script_t domain. Samba can read and write any content if samba_export_all_rw is set.

The use of the samba_export_all_rw boolean is discouraged since obviously samba will be able to write almost any file.
However you do not have much choice unless you modify policy in a major way.
I would probably use openssh to edit these scripts.

> 
> /var/www/html/thumbnails - contains directories of thumbnails for the photos.
> These are persistently cached in this tree and automatically generated or
> updated as required by the Perl scripts above when required.  This data
> doesn't have to persist across rebuilds.  There are different subdirectories
> for the different supported thumbnail sizes and each subdir and needs to be
> r/w for apache.  Context from / is:
> dr-xr-xr-x. root root system_u:object_r:root_t:s0      .
> drwxr-xr-x. root root system_u:object_r:var_t:s0       var
> drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 www
> drwxr-xr-x. root      root system_u:object_r:httpd_sys_content_t:s0 html
> drwxrwsr-x. root root unconfined_u:object_r:httpd_sys_content_t:s0 thumbnails
> drwxrwsr-x. root apache unconfined_u:object_r:public_content_rw_t:s0 180x180

If your perl webscript needs to create files in exisiting sub directories in tumbnails/ Then i would label these sub directories type httpd_sys_content_rw_t and set httpd_anon_write to true.

Samba will be able to read and write to these files and types since the samba_export_all_rw allows samba to read and write almost any type.

> 
> One of the main issues is that I need Samba to have r/w to a bunch of the
> trees that apache needs access to.  Current Samba SELinux config is
> samba_enable_home_dirs=>on, allow_smbd_anon_write=>on,
> samba_export_all_rw=>on.  I'd like to be able to pull the latter eventually,
> but then I need to be able to figure out how to give Samba r/w access to the
> cgi-bin directory.

If you set samba_export_all_rw to true then you do not need the public_content_(rw)_types. Since samba will be albe to read and write almost any file and type. In that case i believe you can set allow_samba_anon_write to false.

> 
> Now on to the "what broke" question.  Somewhere in the last two months (it'si
> been a while since I've added photos), I lost the ability to use Samba to
> access /data/photos.  Generally I access it through a symlink in my homedir:
> lrwxrwxrwx.  1 toby toby     12 2008-11-28 15:05 photos -> /data/photos
> 
> This has stopped working.  Things I tried:
> * Verifying symlinks.  I have Mail -> mail in my homedir and that still works.
> * Verifying SELinux settings conform to above model.
> * Creating a separate share for /data/photos.  This worked.

If this is at all SELinux related ( see if it works in permissive mode to rule in or rule out SELinux) then it would
help if you enclose an AVC denial. Some denials are hidden use semodule -DB to expose hidden denials and semodule -B to go back to the original state.

> I Obviously have a workaround now, but as a solution it's annoying, because it
> requires me to create separate shares for all of the things I want to access
> from my Windows machine (/data/photos, /var/www/cgi-bin/photos, and
> /var/www/html/public_html/toby) and then map to them all separately on my
> Windows machine on separate drive letters, instead of having a single share
> that accesses everything.
> 
> I'm beginning to suspect the problem is Samba, not SELinux, because my
> attempts at using semodule -DB and ausearch (both avc and user_avc) don't turn
> up any events that correlate with attempts to access those directories through
> the symlinks.  At this point, I'm beginning to suspect a fix in Samba 3.4.6 or
> 3.4.7 related to the "Samba Remote Directory Traversal" exploit that was
> announced in early February, but I'm hitting my patience limit (my 3 year old
> is ready for breakfast), so I'm going to stop writing and go with my
> workaround for now.  But if anyone has advice, please offer!

I would probably attempt to implement a solution that does not require samba_export_all_rw to be set true since that
is very coarse.

However with your requirements this is the only simple way.

I would probably use openssh where ever possible. that may be just enough to be able to set samba_export_all_rw to false.

Another solution would be to perform serious surgery to fedora policy. You would create special types and a special web app domain and give both apache and samba the permissions required.

> 
> --Toby Ovod-Everett
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20100321/db43dc28/attachment.bin

More information about the selinux mailing list