SELinux: home dir is symlink, httpd from files in home dir
Nick Urbanik
nicku at nicku.org
Thu Jan 20 00:23:21 UTC 2005
Dear Folks,
I'm totally new to SELinux, and am quite confused on a number of
points.
I took the plunge and enabled SELinux on this FC3 box.
Problem is with Apache. I have symlinks pointing to my home
directory, and to the pub directory, publicly served by Apache.
$ ls -l /home/nicku /var/ftp/pub
lrwxrwxrwx 1 root root 12 Oct 26 14:36 /home/nicku -> ../opt/nicku
lrwxrwxrwx 1 root root 13 Oct 26 14:48 /var/ftp/pub -> ../../opt/pub
ls -Zd /opt/nicku /home/nicku
lrwxrwxrwx root root system_u:object_r:default_t /home/nicku -> ../opt/nicku
drwx-----x nicku nicku system_u:object_r:user_home_dir_t /opt/nicku
I have three main questions:
1. How do I solve my problem about httpd access to
/opt/nicku/work/teaching/ict/ossi securely?
2. Where should I put my modifications to the policy?
3. What attribute should I give to the symlink /home/nicku?
Here is what I did:
After enabling SELinux, access to http://localhost/ossi was forbidden.
I then proceeded to try to make this work. However, my fairly random
messing about is certainly not right. I don't know where I should put
my modifications. I would prefer not to change the original policy
files, but would prefer to make new ones.
Contents of
/etc/selinux/targeted/src/policy/file_contexts/misc/nicks-opt.fc:
/opt/lost\+found(/.*)? system_u:object_r:lost_found_t
/opt/nicku -d system_u:object_r:user_home_dir_t
/opt/nicku/.+ system_u:object_r:user_home_t
/opt/ogg(/.*)? system_u:object_r:default_t
/opt/pub(/.*)? system_u:object_r:default_t
/opt/nicku/public_htm(/.*)? system_u:object_r:httpd_user_content_t
/opt/backup(/.*)? system_u:object_r:default_t
/opt/cdimage(/.*)? system_u:object_r:default_t
/opt/nicku/photos(/.*)? system_u:object_r:httpd_user_content_t
/opt/nicku/work/teaching/ict/snm(/.*)? system_u:object_r:httpd_user_content_t
/opt/nicku/work/teaching/ict/ossi(/.*)? system_u:object_r:httpd_user_content_t
THIS IS CERTAINLY IN THE WRONG PLACE? WHERE SHOULD IT GO?
cat /etc/selinux/targeted/src/policy/domains/program/apache-nicks-opt-extra.te
# Extra stuff for apache to cope with the symbolic links to
# /opt/nicku and /opt/pub
These came from audit2allow. The first one is certainly wrong. I
should change the attribute on the symlink /home/nicku. What should I
change it to?
# to give access to /home/nicku:
# This looks BAD by removing SELinux protection of all symlinks:
allow httpd_t default_t:lnk_file { getattr read };
# to give access to /opt/pub:
allow httpd_t var_t:lnk_file { getattr read };
# to give access to /opt/nicku/{photos,work/{ossi,snm}}
allow httpd_t user_home_t:lnk_file { getattr read };
make reload complained till I touched this file:
ls -l /etc/selinux/targeted/src/policy/file_contexts/program/apache-nicks-opt-extra.fc
-rw-r--r-- 1 root root 0 Jan 20 07:51
/etc/selinux/targeted/src/policy/file_contexts/program/apache-nicks-opt-extra.fc
From httpd configuration:
Alias /ossi /home/nicku/work/teaching/ict/ossi
<Location "/ossi">
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
</Location>
What should I do to enable httpd access to /ossi?
Here's what SELinux says:
Jan 20 10:53:20 nicku kernel: audit(1106178800.510:0): avc: denied { search } for pid=6133 exe=/usr/sbin/httpd name=work dev=sda1 ino=5620038 scontext=user_u:system_r:httpd_t tcontext=system_u:object_r:user_home_t tclass=dir
Jan 20 10:53:20 nicku kernel: audit(1106178800.510:0): avc: denied { getattr } for pid=6133 exe=/usr/sbin/httpd path=/opt/nicku/work dev=sda1 ino=5620038 scontext=user_u:system_r:httpd_t tcontext=system_u:object_r:user_home_t tclass=dir
When I do:
tail -20 /var/log/messages | audit2allow -v -i -
allow httpd_t user_home_t:dir { getattr search };
#EXE=/usr/sbin/httpd NAME=work : search
#EXE=/usr/sbin/httpd PATH=/opt/nicku/work : getattr
Where should this rule go?
I would prefer not to modify the installed
/etc/selinux/targeted/src/policy/domains/program/apache.te and
/etc/selinux/targeted/src/policy/file_contexts/program/apache.fc; I
would rather put my own customised changes in their own files so
updates to the policies can be easily installed.
--
Nick Urbanik RHCE http://nicku.org nicku(at)nicku.org
Proud ex-member of Dept. of Information & Communications Technology in
Hong Kong IVE (Tsing Yi), Home of Visual Paradigm: Jolt Productivity
Award winner, programmed by ICT's own graduates!
GPG: 7FFA CDC7 5A77 0558 DC7A 790A 16DF EC5B BB9D 2C24 ID: BB9D2C24
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20050120/01aa1511/attachment.sig>
More information about the fedora-selinux-list
mailing list