SELinux, httpd and TWiki in FC3
Daniel J Walsh
dwalsh at redhat.com
Thu Nov 11 16:40:07 UTC 2004
Jared W. Robinson wrote:
> Here's my notes on getting Apache & TWiki to run under SELinux.
> Basically, I think most people will want to turn SELinux off for
> apache, but it's not easy without turning it off for the other
> targeted services too.
>
> First, I wanted to disable SELinux for just Apache, which is supposed
> to be possible. I ran "system-config-securitylevel", selected the
> "SELinux" tab, and opened the
> "transition" list, and selected "Disable Selinux protection for httpd
> daemon",
> , clicked "ok", then restarted httpd. Unfortunately, this didn't work.
What didn't work? What went wrong? Do you have any AVC Messages?
>
> Second, I stopped enforcing SELinux policy, and noticed that TWiki ran
> just fine. I'd recommend that people get their cgi scripts running
> correctly without SELinux before trying to troubleshoot further.
>
> Third, I started enforcing SELinux policy again, and I made sure I set
> the types appropriately for the cgi scripts and for the files the
> scripts read/write to using
> chcon -t httpd_user_script_exec_t <cgi_scripts>
> chcon -t httpd_sys_content_t <content files and directories>
You might want to change this to
chcon -t httpd_sys_script_rw_t <content files and directories>
Which would eliminate a lot of AVC messages from below.
httpd_sys_content_t should only be for static content.
> I also used "system-config-securitylevel" and enabled some of the
> options for Apache -- the unification of types to httpd_sys_content_t,
> allowing of cgi scripts.
>
> Fourth, I watched /var/log/messages for "avc: denied" messages, and
> used audit2allow to generate rules:
> $ cd /etc/selinux/targeted/src/policy
> $ audit2allow -d -l -o domains/misc/local.te
> $ vi domains/misc/local.te
> $ make reload
> $ service httpd restart
> And I repeated this process several times, merging the appropriate new
> rules from audit2allow into my original local.te file.
>
> Here's my local.te file that seems to work so far:
> allow httpd_sys_script_t sysctl_kernel_t:dir { search };
> allow httpd_sys_script_t sysctl_kernel_t:file { read };
> allow httpd_sys_script_t sysctl_t:dir { search };
What is asking for these?
> allow httpd_sys_script_t tmp_t:lnk_file { read };
/usr/tmp?
> allow httpd_sys_script_t httpd_sys_content_t:dir { read };
> allow httpd_sys_script_t httpd_sys_content_t:file { append };
> allow httpd_sys_script_t httpd_sys_content_t:dir { write };
> allow httpd_sys_script_t httpd_sys_content_t:file { write };
> allow httpd_sys_script_t httpd_sys_content_t:dir { add_name };
> allow httpd_sys_script_t httpd_sys_content_t:file { create };
> allow httpd_sys_script_t httpd_sys_content_t:file { setattr };
> allow httpd_sys_script_t httpd_sys_content_t:dir { remove_name };
> allow httpd_sys_script_t httpd_sys_content_t:file { rename };
> allow httpd_sys_script_t httpd_sys_content_t:file { unlink };
>
Changing httpd_sys_content_t to httpd_sys_script_rw_t would fix most of
these?
What is the settings of httpd_unified?
> I found the following presentation to be quite helpful:
> http://web.verbum.org/selinux/linuxfest/img0.html
> http://web.verbum.org/selinux/linuxfest/text21.html (good slide)
>
> And this was also helpful:
> http://people.redhat.com/walters/selinux-apache-en/index.html
>
> In the end, I'm glad that turning of the targeted policy for httpd
> didn't work (using system-config-securitylevel). It forced me to learn
> more about SELinux (although I feel like I'm just beginning), and
> hopefully, my server is more secure than before.
> - Jared
>
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> http://www.redhat.com/mailman/listinfo/fedora-selinux-list
More information about the fedora-selinux-list
mailing list