Neophyte question re: httpd under SELinux
Daniel J Walsh
dwalsh at redhat.com
Thu Dec 22 20:32:51 UTC 2005
Al Pacifico wrote:
> Marcus-
>
> Thanks for your response.
>
> This helped some, I think, but I still have my issues.
>
> The URL
> http://fedora.redhat.com/docs/selinux-apache-fc3/sn-debugging-and-customizin
> g.html#sn-httpd-booleans didn't contribute much.
>
> Output of ls -Z showed directories of my .../test directory as
> user_u:object_r:user_home_t.
>
> Changing context with chcon -Rv -t httpd_sys_script_t ./test (as root) did
> not work... lot of permission denied messages. My machine has a multidisk
> setup and /home is its own partition or disk; not sure if that matters.
>
> Output of getsebool -a | grep httpd is:
>
> allow_httpd_anon_write --> inactive
> allow_httpd_sys_script_anon_write --> inactive
> httpd_builtin_scripting --> active
> httpd_can_network_connect --> inactive
> httpd_disable_trans --> active
> httpd_enable_cgi --> active
> httpd_enable_ftp_server --> inactive
> httpd_enable_homedirs --> active
> httpd_ssi_exec --> active
> httpd_suexec_disable_trans --> inactive
> httpd_tty_comm --> inactive
> httpd_unified --> active
>
> I totally agree with the comment about placing files in the correct places,
> on a production machine. However, numerous apache modules come with testing
> suites that use the system httpd executable (appropriately) in other
> locations.
>
> I'm starting to believe that I should either use setenforce 0 when
> developing. If I do that, and forget to turn it back on, will there be some
> ugly ramifications later? I have to halt httpd from the console using ctrl-C
> because of the -X option, so I can't just stick setenforce 1 in my script.
> (Hmm.... how do I trap ctrl-C in a bash script?) I could switch to testing
> with lighttpd for CGI and SCGI, but I do need to test some apache modules
> for which that is not an option.
>
> Two things I still don't unmderstand:
> Why doesn't the "Disable SELinux protection for httpd daemon" checkbox just
> take care of the problem?
> My /var/log/messages didn't help me... doesn't show all those permission
> denied messages when I tried to recusively change the context in my .../test
> directory. Should I be looking elsewhere? Do I need to tell SELinux
> something?
>
> I'm sorry if my questions are pretty basic; I definitely fall in the
> category of 80% just want to get the job done and 20% want to know more.
>
> Thanks.
> -al
>
> -----Original Message-----
> From: fedora-selinux-list-bounces at redhat.com
> [mailto:fedora-selinux-list-bounces at redhat.com] On Behalf Of Marcus O. White
> Sent: Wednesday, December 21, 2005 2:20 AM
> To: fedora-selinux-list at redhat.com
> Subject: Re: Neophyte question re: httpd under SELinux
>
> On Tue, 2005-12-20 at 22:26 -0800, Al Pacifico wrote:
>
>> I'm working on a CGI program in C, but recently SELinux seems to have
>> tripped me up.
>>
>> I started with Tom Boutell's cgic and an example CGI program (provided in
>> his source tree) that generates a JPEG on the fly. It ran fine months back
>> with the following script:
>>
>> dir=$(dirname $0)
>> /usr/sbin/httpd -X -k start -d $dir -e debug
>>
>> on my FC4 machine.
>>
>> Now, it's time to start testing the program I wrote, but my Apache
>>
> (version
>
>> 2.0.54, installed from Fedora RPM, if it matters) won't start unless I
>> execute /usr/sbin/setenforce 0 before executing my script. (it took me a
>> while to figure that one out!). In fact, /usr/sbin/httpd -v won't even
>>
> work.
>
>> I'm sure the SELinux policy has updated via yum since times when it
>>
> worked,
>
>> and that explains the change. I tried checking "Disable SELinux protection
>> for httpd daemon" in the system-config-securitylevel dialog and
>>
> relabelling
>
>> my filesystems, but I still need to execute /usr/sbin/setenforce 0
>> beforehand to run my script that starts httpd with my CGI program.
>>
>> If it helps, the example CGI program (not the one I've written, but Tom
>> Boutell's that formerly ran) is in the directory
>>
>> /home/myuser/Development/myproject/imageFromCGI_test/test
>>
>> and
>>
>> ls -l /home/myuser/Development/myproject/imageFromCGI_test/test outputs
>>
>> total 52
>> drwxrwxr-x 2 myuser apache 4096 Sep 9 10:03 cgi-bin
>> drwxrwxr-x 2 myuser apache 4096 Sep 9 13:07 conf
>> -rwxr-xr-x 1 root root 63 Dec 20 14:38 debug_CGI
>> drwxrwxr-x 2 myuser apache 4096 Sep 9 12:08 htdocs
>> drwxrwxr-x 2 myuser apache 4096 Sep 9 12:04 logs
>> lrwxrwxrwx 1 root root 18 Sep 9 09:52 modules -> /etc/httpd/modules
>> drwxrwxr-x 2 myuser apache 4096 Sep 9 12:04 run
>>
>> (probably only makes sense if you're accustomed to configuring apache;
>>
> this
>
>> directory is essentially the argument to the Apache ServerRoot directive).
>>
>> I inferred that the directory might be important since /sbin/service httpd
>> start works fine, regardless of state of aforementioned checkbox.
>>
>> What bugs me is that I don't get any kind of warning... apache just never
>> starts.
>> Q: How do I get warnings? (grep avc /var/log/messages was of no help to my
>> pea-brain)
>> Q: What else do I need to change to alter this behavior?
>>
>> I understand that for a production machine, SELinux is a good thing. I
>> hadn't installed it when I used FC2 and hadn't had much problem with FC3
>>
> or
>
>> with FC4 until yesterday. I have to believe there is a better way than
>>
> just
>
>> turning it off.
>>
>> Thanks.
>> -al
>>
>> Al Pacifico
>> Seattle, WA
>>
>>
>>
>>
>> --
>> fedora-selinux-list mailing list
>> fedora-selinux-list at redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>
>
> >From RHEL list:
>
> Gavin Young wrote:
>
>> Hey guys, hopefully someone out there can help me with this because
>>
> I'm
>
>> an SELinux virgin so to speak.
>>
>> We have a RHEL v4 box running apache amongst other things. No changes
>> have been made to the standard Redhat policies.
>>
>
> I'm no expert but I am trying to wade through Apache/selinux issues as
> well.
> You might find the following "beta" document helpful:
>
> <http://fedora.redhat.com/docs/selinux-apache-fc3/sn-debugging-and-customizi
> ng.html#sn-httpd-booleans>
>
> -------------------
> On Fri, 4 Mar 2005, Gavin Young wrote:
>
>
>> Hey guys, hopefully someone out there can help me with this because
>>
> I'm
>
>> an SELinux virgin so to speak.
>>
>> We have a RHEL v4 box running apache amongst other things. No changes
>> have been made to the standard Redhat policies.
>>
>> We are wanting to run a perl based web app (Sql-Ledger)
>> from /usr/local/sql-ledger but SELinux is stopping us.
>>
>> With SELinux disabled it works correctly. When SELinux protection of
>>
> the
>
>> HTTPD daemon is switched on the browser displays: Internal Server
>>
> Error
>
>> and /var/log/messages reports
>>
>> Mar 3 15:13:23 zorb1 kernel: audit(1109816003.103:0): avc: denied
>> { execute } for pid=24711 exe=/usr/sbin/httpd name=login.pl dev=dm-0
>> ino=9228595 scontext=root:system_r:httpd_t
>>
> tcontext=root:object_r:usr_t
>
>> tclass=file
>>
>>
>>> From what I can tell SELinux is stopping scripts being run from any
>>>
>> other directory apart from /var/www/cgi-bin. I have tried moving the
>> sql-ledger directory into cgi-bin but that doesn't appear to help
>> because it is still a sub-directory of cgi-bin.
>>
>
> The release notes give a hint to the right direction but doesn't
> directly
> talk about cgi - you need to set the file contexts of the sql-ledger
> stuff
> as cgi-content, something like this:
> "chcon -R -h -t httpd_sys_script_exec_t <path to slq-ledger directory>"
>
> - Panu -
>
> ----------------------
>
> What are the HTTPD Booleans set to?
>
> getsebool -a | grep httpd
>
> httpd_enable_cgi needs to be active, if it is not. That wouldn't
> generate the denial you have, so think of this as a "is it plugged in?"
> type of question.
>
>
>> We are wanting to run a perl based web app (Sql-Ledger)
>> from /usr/local/sql-ledger but SELinux is stopping us.
>>
>
> This is where someone could correct me for best practices advise.
>
> You want to seriously consider moving the CGI program to the appropriate
> directory. Otherwise, you are trying to give Apache execute access to
> something inside of /usr/local/ ...
>
> To do this in /usr/local/, you will need to change policy or
> relabel /usr/local/ to make this happen, which will serve to reduce
> security on the system.
>
>
>> With SELinux disabled it works correctly. When SELinux protection of
>>
> the
>
>> HTTPD daemon is switched on the browser displays: Internal Server
>>
> Error
>
>> and /var/log/messages reports
>>
>> Mar 3 15:13:23 zorb1 kernel: audit(1109816003.103:0): avc: denied
>> { execute } for pid=24711 exe=/usr/sbin/httpd name=login.pl dev=dm-0
>> ino=9228595 scontext=root:system_r:httpd_t
>>
> tcontext=root:object_r:usr_t
>
>> tclass=file
>>
>> >From what I can tell SELinux is stopping scripts being run from any
>> other directory apart from /var/www/cgi-bin. I have tried moving the
>> sql-ledger directory into cgi-bin but that doesn't appear to help
>> because it is still a sub-directory of cgi-bin.
>>
>
> That shouldn't be a problem. You just need to relabel the directory
> recursively. This should work, and is a good practice since it refers
> to the mapping of labels to directories/files as defined by the policy:
>
> restorecon -Rv /var/www/cgi-bin/sql-ledger/
>
> If ls -Z doesn't show that the type is httpd_sys_script_t, do this:
>
> chcon -Rv -t httpd_sys_script_t /var/www/cgi-bin/sql-ledger/
>
>
>> This problem must have come up before... Any help would be much
>> appreciated.
>>
>
> Yeah, almost qualifies for a FAQ.
>
> Future updates to the Red Hat SELinux Guide[1] will likely address
> Apache more thoroughly.
>
> - Karsten
> [1]
> http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/selinux-guide/in
> dex.html
>
> HTH
>
> Marcus O.
>
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
>
>
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
What avc messages are you seeing. With httpd_enable_homedirs turned on
apache should be able to read your homedirs.
If you are seeing file_t in your /var/log/audit/audit.log then you
probably need to relabel your system.
touch /.autorelabel
reboot
--
More information about the fedora-selinux-list
mailing list