[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: How best get rid of SELinux?



On 9/23/07, Tim <ignored_mailbox yahoo com au> wrote:
> On Sun, 2007-09-23 at 01:11 -0500, Arthur Pemberton wrote:
> > It takes less that a minute to find out 'man chcon'' :
> > http://linux.die.net/man/1/chcon
>
> chcon wasn't referred to in the list of see also man files at the bottom
> of the selinux man file.  More hunting would have been required to know
> about that command.  It's just another part of the obscureness of it.
> At the very least, I'd expect man selinux to get me started with the
> things I needed to know.

Fair enough. But chcon is the tool one uses to manually change the
context. Considering one only needs to know what the contexts mean if
they're going to manually change them, then one should have come
accross chcon.

The Selinux tutorial can be scanned in about 10-15 mins for those who
actually need to change things - most people don't.

> > u -> user
> > r -> role
> > t -> type
> >
> > Manual modification of the security contexts aren't really expected of
> > most people.
>
> You need to know how to understand what's there when you're trying to
> work out why you can't serve something, etc.  And they're still not
> particularly coherent with the example I gave.

Use Case
* Tim wants to use Fedora to play around with Apache
* Tim installs Fedora + Apache with Selinux in targeted mode
* Tim is up and running with the default Fedora-Apache test page on :80
* Tim copies a file from /home/tim to /var/log/www (lets say with nautilus)
* When file is dropped into /var/www/html, restorecond automatically
changes the files context to the minimal context required for http to
access a file
* For some reason, restorecond didn't do the job, so apache can't read
Tim added file
* Tim gets HTTP errors at http://localhost/test.html indicating that
the file can't be accessed
* Tim check apache's logs for information on while the file isn't
being served, and finds that Apache itself can't read the file
* So Tim check /var/log/messages for information
* Tim had decided not to install setroubleshoot upon original
installation of Fedora
* So Tim finds quite verbose avc_denied messages which he doesn't
understand, and would prefer not to learn to understand
* So Tim installs setroubleshoot via his method of choice
* With setrobuleshoot now runnings, Tim recreates the event. and
setroubleshoot prints a message to /var/log/message asking Tim to run
a specific command for information on the SELinux denial, and how to
fix it.
* Tim copies and paste the command into a terminal and hits RETURN
* Tim is given a brief break down on why SELinux denied this particular action
* Tim is also given the exact command necessary to fix the problem
which he copies and pastes into a terminal and executes
* Tim attempts http://localhost/test.html again, and it works

( I'm not sure what circumstances would cause the file to not be auto
relabeled )

> >>> Or a PNG file in my webserver directory:
> >>> user_u:object_r:httpd_sys_content_t
>
> That PNG is user user, object role, HTTP system content type?  WTF!
> What the hell is an object role, and how is a PNG file a system
> anything?

A content item accessible to the httpd system

-- 
Fedora 7 : sipping some of that moonshine
( www.pembo13.com )


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]