Neophyte question re: httpd under SELinux

Al Pacifico pacifico at drizzle.com
Wed Dec 21 15:44:37 UTC 2005 

Marcus-

Thanks for your response.

This helped some, I think, but I still have my issues. 

The URL
http://fedora.redhat.com/docs/selinux-apache-fc3/sn-debugging-and-customizin
g.html#sn-httpd-booleans didn't contribute much.

Output of ls -Z showed directories of my .../test directory as
user_u:object_r:user_home_t.

Changing context with chcon -Rv -t httpd_sys_script_t ./test (as root) did
not work... lot of permission denied messages. My machine has a multidisk
setup and /home is its own partition or disk; not sure if that matters.

Output of getsebool -a | grep httpd is:

allow_httpd_anon_write --> inactive
allow_httpd_sys_script_anon_write --> inactive
httpd_builtin_scripting --> active
httpd_can_network_connect --> inactive
httpd_disable_trans --> active
httpd_enable_cgi --> active
httpd_enable_ftp_server --> inactive
httpd_enable_homedirs --> active
httpd_ssi_exec --> active
httpd_suexec_disable_trans --> inactive
httpd_tty_comm --> inactive
httpd_unified --> active

I totally agree with the comment about placing files in the correct places,
on a production machine. However, numerous apache modules come with testing
suites that use the system httpd executable (appropriately) in other
locations.

I'm starting to believe that I should either use setenforce 0 when
developing. If I do that, and forget to turn it back on, will there be some
ugly ramifications later? I have to halt httpd from the console using ctrl-C
because of the -X option, so I can't just stick setenforce 1 in my script.
(Hmm.... how do I trap ctrl-C in a bash script?) I could switch to testing
with lighttpd for CGI and SCGI, but I do need to test some apache modules
for which that is not an option.

Two things I still don't unmderstand:
Why doesn't the "Disable SELinux protection for httpd daemon" checkbox just
take care of the problem?
My /var/log/messages didn't help me... doesn't show all those permission
denied messages when I tried to recusively change the context in my .../test
directory. Should I be looking elsewhere? Do I need to tell SELinux
something?

I'm sorry if my questions are pretty basic; I definitely fall in the
category of 80% just want to get the job done and 20% want to know more.

Thanks.
-al 

-----Original Message-----
From: fedora-selinux-list-bounces at redhat.com
[mailto:fedora-selinux-list-bounces at redhat.com] On Behalf Of Marcus O. White
Sent: Wednesday, December 21, 2005 2:20 AM
To: fedora-selinux-list at redhat.com
Subject: Re: Neophyte question re: httpd under SELinux

On Tue, 2005-12-20 at 22:26 -0800, Al Pacifico wrote:
> I'm working on a CGI program in C, but recently SELinux seems to have
> tripped me up.
> 
> I started with Tom Boutell's cgic and an example CGI program (provided in
> his source tree) that generates a JPEG on the fly. It ran fine months back
> with the following script:
> 
> dir=$(dirname $0) 
> /usr/sbin/httpd -X -k start -d $dir -e debug
> 
> on my FC4 machine.
> 
> Now, it's time to start testing the program I wrote, but my Apache
(version
> 2.0.54, installed from Fedora RPM, if it matters) won't start unless I
> execute /usr/sbin/setenforce 0 before executing my script. (it took me a
> while to figure that one out!). In fact, /usr/sbin/httpd -v won't even
work.
> I'm sure the SELinux policy has updated via yum since times when it
worked,
> and that explains the change. I tried checking "Disable SELinux protection
> for httpd daemon" in the system-config-securitylevel dialog and
relabelling
> my filesystems, but I still need to execute /usr/sbin/setenforce 0
> beforehand to run my script that starts httpd with my CGI program.
> 
> If it helps, the example CGI program (not the one I've written, but Tom
> Boutell's that formerly ran) is in the directory 
> 
> /home/myuser/Development/myproject/imageFromCGI_test/test 
> 
> and 
> 
> ls -l /home/myuser/Development/myproject/imageFromCGI_test/test outputs
> 
> total 52
> drwxrwxr-x  2 myuser apache 4096 Sep  9 10:03 cgi-bin
> drwxrwxr-x  2 myuser apache 4096 Sep  9 13:07 conf
> -rwxr-xr-x  1 root root     63 Dec 20 14:38 debug_CGI
> drwxrwxr-x  2 myuser apache 4096 Sep  9 12:08 htdocs
> drwxrwxr-x  2 myuser apache 4096 Sep  9 12:04 logs
> lrwxrwxrwx  1 root root     18 Sep  9 09:52 modules -> /etc/httpd/modules
> drwxrwxr-x  2 myuser apache 4096 Sep  9 12:04 run
> 
> (probably only makes sense if you're accustomed to configuring apache;
this
> directory is essentially the argument to the Apache ServerRoot directive).
> 
> I inferred that the directory might be important since /sbin/service httpd
> start works fine, regardless of state of aforementioned checkbox.
> 
> What bugs me is that I don't get any kind of warning... apache just never
> starts.
> Q: How do I get warnings? (grep avc /var/log/messages was of no help to my
> pea-brain)
> Q: What else do I need to change to alter this behavior?
> 
> I understand that for a production machine, SELinux is a good thing. I
> hadn't installed it when I used FC2 and hadn't had much problem with FC3
or
> with FC4 until yesterday. I have to believe there is a better way than
just
> turning it off.
> 
> Thanks.
> -al
> 
> Al Pacifico
> Seattle, WA
> 
> 
> 
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

>From RHEL list:

Gavin Young wrote:
> Hey guys, hopefully someone out there can help me with this because
I'm
> an SELinux virgin so to speak.
> 
> We have a RHEL v4 box running apache amongst other things. No changes
> have been made to the standard Redhat policies. 

I'm no expert but I am trying to wade through Apache/selinux issues as
well.
You might find the following "beta" document helpful:

<http://fedora.redhat.com/docs/selinux-apache-fc3/sn-debugging-and-customizi
ng.html#sn-httpd-booleans>

-------------------
On Fri, 4 Mar 2005, Gavin Young wrote:

> Hey guys, hopefully someone out there can help me with this because
I'm
> an SELinux virgin so to speak.
>
> We have a RHEL v4 box running apache amongst other things. No changes
> have been made to the standard Redhat policies.
>
> We are wanting to run a perl based web app (Sql-Ledger)
> from /usr/local/sql-ledger but SELinux is stopping us.
>
> With SELinux disabled it works correctly. When SELinux protection of
the
> HTTPD daemon is switched on the browser displays: Internal Server
Error
> and /var/log/messages reports
>
> Mar  3 15:13:23 zorb1 kernel: audit(1109816003.103:0): avc:  denied
> { execute } for  pid=24711 exe=/usr/sbin/httpd name=login.pl dev=dm-0
> ino=9228595 scontext=root:system_r:httpd_t
tcontext=root:object_r:usr_t
> tclass=file
>
>> From what I can tell SELinux is stopping scripts being run from any
> other directory apart from /var/www/cgi-bin. I have tried moving the
> sql-ledger directory into cgi-bin but that doesn't appear to help
> because it is still a sub-directory of cgi-bin.

The release notes give a hint to the right direction but doesn't
directly 
talk about cgi - you need to set the file contexts of the sql-ledger
stuff 
as cgi-content, something like this:
"chcon -R -h -t httpd_sys_script_exec_t <path to slq-ledger directory>"

        - Panu -

----------------------

What are the HTTPD Booleans set to?

getsebool -a | grep httpd

httpd_enable_cgi needs to be active, if it is not.  That wouldn't
generate the denial you have, so think of this as a "is it plugged in?"
type of question.

> We are wanting to run a perl based web app (Sql-Ledger)
> from /usr/local/sql-ledger but SELinux is stopping us.

This is where someone could correct me for best practices advise.

You want to seriously consider moving the CGI program to the appropriate
directory.  Otherwise, you are trying to give Apache execute access to
something inside of /usr/local/ ...

To do this in /usr/local/, you will need to change policy or
relabel /usr/local/ to make this happen, which will serve to reduce
security on the system.

> With SELinux disabled it works correctly. When SELinux protection of
the
> HTTPD daemon is switched on the browser displays: Internal Server
Error
> and /var/log/messages reports
> 
> Mar  3 15:13:23 zorb1 kernel: audit(1109816003.103:0): avc:  denied
> { execute } for  pid=24711 exe=/usr/sbin/httpd name=login.pl dev=dm-0
> ino=9228595 scontext=root:system_r:httpd_t
tcontext=root:object_r:usr_t
> tclass=file
> 
> >From what I can tell SELinux is stopping scripts being run from any
> other directory apart from /var/www/cgi-bin. I have tried moving the
> sql-ledger directory into cgi-bin but that doesn't appear to help
> because it is still a sub-directory of cgi-bin.

That shouldn't be a problem.  You just need to relabel the directory
recursively.  This should work, and is a good practice since it refers
to the mapping of labels to directories/files as defined by the policy:

restorecon -Rv /var/www/cgi-bin/sql-ledger/

If ls -Z doesn't show that the type is httpd_sys_script_t, do this:

chcon -Rv -t httpd_sys_script_t /var/www/cgi-bin/sql-ledger/

> This problem must have come up before... Any help would be much
> appreciated.

Yeah, almost qualifies for a FAQ.

Future updates to the Red Hat SELinux Guide[1] will likely address
Apache more thoroughly.

- Karsten
[1]
http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/selinux-guide/in
dex.html

HTH

Marcus O.


--
fedora-selinux-list mailing list
fedora-selinux-list at redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

More information about the fedora-selinux-list mailing list