SELinux, httpd and TWiki in FC3

Jared W. Robinson jwr at xmission.com
Thu Nov 11 18:07:44 UTC 2004


On Thu, Nov 11, 2004 at 11:40:07AM -0500, Daniel J Walsh wrote:
> Jared W. Robinson wrote:
> 
> >First, I wanted to disable SELinux for just Apache, which is supposed
> >to be possible. I ran "system-config-securitylevel", selected the
> >"SELinux" tab, and opened the "transition" list, and selected
> >"Disable Selinux protection for httpd daemon", , clicked "ok", then
> >restarted httpd. Unfortunately, this didn't work.
> 
> What didn't work?  What went wrong?  Do you have any AVC Messages?

I'm assuming that when I selected to disable the protection for httpd,
and I select "OK" on the dialog (in system-config-securitylevel), then
httpd would run as if it weren't being restricted by SELinux anymore.
But, I still got the same AVC denied messages as before I tried to
disable it.

> >Third, I started enforcing SELinux policy again, and I made sure I set 
> >the types appropriately for the cgi scripts and for the files the 
> >scripts read/write to using
> >chcon -t httpd_user_script_exec_t <cgi_scripts>
> >chcon -t httpd_sys_content_t <content files and directories>
> 
> You might want to change this to
> chcon -t httpd_sys_script_rw_t <content files and directories>
> Which would eliminate a lot of AVC messages from below.
> 
> httpd_sys_content_t should only be for static content.

Thanks; I've now changed them.

> >Here's my local.te file that seems to work so far:
> >allow httpd_sys_script_t sysctl_kernel_t:dir { search };
> >allow httpd_sys_script_t sysctl_kernel_t:file { read };
> >allow httpd_sys_script_t sysctl_t:dir { search };
> 
> What is asking for these?

Good question. I'm assuming that it's something from one of the TWiki cgi scripts.

> >allow httpd_sys_script_t tmp_t:lnk_file { read };
> 
> /usr/tmp?

Don't know. It might be nice if the AVC messages gave full paths -- but
I guess SELinux works with objects, not paths, right?

> >allow httpd_sys_script_t httpd_sys_content_t:dir { read };
> >allow httpd_sys_script_t httpd_sys_content_t:file { append };
> >allow httpd_sys_script_t httpd_sys_content_t:dir { write };
> >allow httpd_sys_script_t httpd_sys_content_t:file { write };
> >allow httpd_sys_script_t httpd_sys_content_t:dir { add_name };
> >allow httpd_sys_script_t httpd_sys_content_t:file { create };
> >allow httpd_sys_script_t httpd_sys_content_t:file { setattr };
> >allow httpd_sys_script_t httpd_sys_content_t:dir { remove_name };
> >allow httpd_sys_script_t httpd_sys_content_t:file { rename };
> >allow httpd_sys_script_t httpd_sys_content_t:file { unlink };
> >
> Changing httpd_sys_content_t to httpd_sys_script_rw_t would fix most of 
> these?

I tried that, and turned off httpd_unified (I think), and now I get this:
Nov 11 10:56:08 myhost kernel: audit(1100195768.763:0): avc:  denied { execute } for  pid=24886 exe=/usr/sbin/httpd name=view dev=dm-1 ino=1329201 scontext=root:system_r:httpd_t tcontext=user_u:object_r:httpd_sys_content_t tclass=file

What should I do about that? The "view" cgi script has user_u:object_r:httpd_sys_script_exec_t as the type.

> What is the settings of httpd_unified?

If httpd_unified correlates with the similiar named setting in system-config-securitylevel, then it is enabled (except when I turned it off for my test above).

I think I prefer to run with httpd_unified, and the local.te policy that I already have, simply because it works.

- Jared




More information about the fedora-selinux-list mailing list