SELinux/httpd integration

Colin Walters walters at redhat.com
Mon Nov 22 18:05:53 UTC 2004 

On Sun, 2004-11-21 at 18:11 -0500, Yuichi Nakamura wrote:
> Daniel J Walsh <dwalsh at redhat.com> wrote:
> > >audit(1100636258.341:0): avc:  denied  { write } for  pid=21318 
> > >exe=/usr/sbin/httpd name=__db.001 dev=hda2 ino=3169309 
> > >scontext=root:system_r:httpd_t tcontext=root:object_r:httpd_sys_content_t tclass=file
> > Policy has been updated to allow this.  Please update to 
> > selinux-policy-targeted-1.17.30-2.26 or greater.
> 
> I looked selinux-policy-strict|targeted-sources-1.19.4-1, 
> and found following statements.
> if (httpd_enable_cgi && httpd_unified ) {
> ...
> allow httpd_t httpdcontent:file { create ioctl read getattr lock write setattr append link unlink rename };
> ..
> }
> 
> I think it is allowing too much.

You think the boolean should not exist?  Or just think it should grant
fewer permissions?

> It will be hard for users to guess "httpd_unified" means "allowing httpd  fullaccess to all contents". 

My hope is that anyone who wants to do SELinux/Apache work on Fedora
will either
1) Read the Fedora Apache/SELinux guide, where this is documented
2) Understand enough about SELinux to understand what the union of a
permission set means.

> Separete boolean like "httpd_content_writable" should be prepared.
> # I am not sure the name is good..

A different boolean?  I don't think that's all that useful because most
users will either:

1) Want CGI scripts to execute as well
2) Understand enough about labeling to turn the boolean off and label
things with the stronger types (httpd_sys_script_exec_t,
httpd_sys_script_rw_t).  

> And I think, like "httpd_sys_script_rw_t",
> "httpd_rw_t" would be useful in using PHP(such as wiki,xoops). 
> Users can allow write permission only by modifying types.

Well, this is certainly arguable, but my feeling is that the current
default Fedora Apache policy configuration hits a kind of sweet spot
where a lot of things should be able to work out of the box, without
users having to necessarily understand "chcon".  If every user, even one
just serving static files or doing simple CGI scripts had to learn about
relabeling, we might have more users turning the Apache enforcement off.

In the future though, once FC3 and experience with SELinux has
percolated into the experience of the general community, we have better
documentation, etc., we could consider turning the httpd_unified boolean
off by default for FC4.

More information about the fedora-selinux-list mailing list