SELinux, httpd and TWiki in FC3

[Jared W. Robinson]

Here's my notes on getting Apache & TWiki to run under SELinux. Basically, I think most people will want to turn SELinux off for apache, but it's not easy without turning it off for the other targeted services too.

First, I wanted to disable SELinux for just Apache, which is supposed to be possible. I ran "system-config-securitylevel", selected the "SELinux" tab, and opened the
"transition" list, and selected "Disable Selinux protection for httpd daemon",
, clicked "ok", then restarted httpd. Unfortunately, this didn't work.

Second, I stopped enforcing SELinux policy, and noticed that TWiki ran just fine. I'd recommend that people get their cgi scripts running correctly without SELinux before trying to troubleshoot further.

Third, I started enforcing SELinux policy again, and I made sure I set the types appropriately for the cgi scripts and for the files the scripts read/write to using
chcon -t httpd_user_script_exec_t <cgi_scripts>
chcon -t httpd_sys_content_t <content files and directories>
I also used "system-config-securitylevel" and enabled some of the options for Apache -- the unification of types to httpd_sys_content_t, allowing of cgi scripts.

Fourth, I watched /var/log/messages for "avc:  denied" messages, and used audit2allow to generate rules:
$ cd /etc/selinux/targeted/src/policy
$ audit2allow -d -l -o domains/misc/local.te
$ vi domains/misc/local.te
$ make reload
$ service httpd restart
And I repeated this process several times, merging the appropriate new rules from audit2allow into my original local.te file.

Here's my local.te file that seems to work so far:
allow httpd_sys_script_t sysctl_kernel_t:dir { search };
allow httpd_sys_script_t sysctl_kernel_t:file { read };
allow httpd_sys_script_t sysctl_t:dir { search };
allow httpd_sys_script_t tmp_t:lnk_file { read };
allow httpd_sys_script_t httpd_sys_content_t:dir { read };
allow httpd_sys_script_t httpd_sys_content_t:file { append };
allow httpd_sys_script_t httpd_sys_content_t:dir { write };
allow httpd_sys_script_t httpd_sys_content_t:file { write };
allow httpd_sys_script_t httpd_sys_content_t:dir { add_name };
allow httpd_sys_script_t httpd_sys_content_t:file { create };
allow httpd_sys_script_t httpd_sys_content_t:file { setattr };
allow httpd_sys_script_t httpd_sys_content_t:dir { remove_name };
allow httpd_sys_script_t httpd_sys_content_t:file { rename };
allow httpd_sys_script_t httpd_sys_content_t:file { unlink };

I found the following presentation to be quite helpful:
http://web.verbum.org/selinux/linuxfest/img0.html
http://web.verbum.org/selinux/linuxfest/text21.html (good slide)

And this was also helpful:
http://people.redhat.com/walters/selinux-apache-en/index.html

In the end, I'm glad that turning of the targeted policy for httpd didn't work (using system-config-securitylevel). It forced me to learn more about SELinux (although I feel like I'm just beginning), and hopefully, my server is more secure than before. 

- Jared