SELinux: home dir is symlink, httpd from files in home dir

Nick Urbanik nicku at nicku.org
Thu Jan 20 00:23:21 UTC 2005 

Dear Folks,

I'm totally new to SELinux, and am quite confused on a number of
points.

I took the plunge and enabled SELinux on this FC3 box.
Problem is with Apache.  I have symlinks pointing to my home
directory, and to the pub directory, publicly served by Apache.

$ ls -l /home/nicku /var/ftp/pub
lrwxrwxrwx  1 root root 12 Oct 26 14:36 /home/nicku -> ../opt/nicku
lrwxrwxrwx  1 root root 13 Oct 26 14:48 /var/ftp/pub -> ../../opt/pub

ls -Zd /opt/nicku /home/nicku
lrwxrwxrwx  root     root     system_u:object_r:default_t      /home/nicku -> ../opt/nicku
drwx-----x  nicku    nicku    system_u:object_r:user_home_dir_t /opt/nicku

I have three main questions:

1. How do I solve my problem about httpd access to
   /opt/nicku/work/teaching/ict/ossi securely?
2. Where should I put my modifications to the policy?
3. What attribute should I give to the symlink /home/nicku?

Here is what I did:

After enabling SELinux, access to http://localhost/ossi was forbidden.

I then proceeded to try to make this work.  However, my fairly random
messing about is certainly not right.  I don't know where I should put
my modifications.  I would prefer not to change the original policy
files, but would prefer to make new ones.

Contents of
/etc/selinux/targeted/src/policy/file_contexts/misc/nicks-opt.fc:

/opt/lost\+found(/.*)?  system_u:object_r:lost_found_t
/opt/nicku      -d      system_u:object_r:user_home_dir_t
/opt/nicku/.+           system_u:object_r:user_home_t
/opt/ogg(/.*)?                system_u:object_r:default_t
/opt/pub(/.*)?                system_u:object_r:default_t
/opt/nicku/public_htm(/.*)?  system_u:object_r:httpd_user_content_t
/opt/backup(/.*)?             system_u:object_r:default_t
/opt/cdimage(/.*)?            system_u:object_r:default_t
/opt/nicku/photos(/.*)?         system_u:object_r:httpd_user_content_t
/opt/nicku/work/teaching/ict/snm(/.*)?  system_u:object_r:httpd_user_content_t
/opt/nicku/work/teaching/ict/ossi(/.*)? system_u:object_r:httpd_user_content_t

THIS IS CERTAINLY IN THE WRONG PLACE?  WHERE SHOULD IT GO?

cat /etc/selinux/targeted/src/policy/domains/program/apache-nicks-opt-extra.te
# Extra stuff for apache to cope with the symbolic links to
# /opt/nicku and /opt/pub

These came from audit2allow.  The first one is certainly wrong.  I
should change the attribute on the symlink /home/nicku.  What should I
change it to?

# to give access to /home/nicku:
# This looks BAD by removing SELinux protection of all symlinks:
allow httpd_t default_t:lnk_file { getattr read };

# to give access to /opt/pub:
allow httpd_t var_t:lnk_file { getattr read };

# to give access to /opt/nicku/{photos,work/{ossi,snm}}
allow httpd_t user_home_t:lnk_file { getattr read };

make reload complained till I touched this file:

ls -l /etc/selinux/targeted/src/policy/file_contexts/program/apache-nicks-opt-extra.fc
-rw-r--r--  1 root root 0 Jan 20 07:51
/etc/selinux/targeted/src/policy/file_contexts/program/apache-nicks-opt-extra.fc

From httpd configuration:

Alias /ossi /home/nicku/work/teaching/ict/ossi

<Location "/ossi">
    Options Indexes MultiViews FollowSymLinks
    AllowOverride None
    Order allow,deny
    Allow from all
</Location>

What should I do to enable httpd access to /ossi?

Here's what SELinux says:

Jan 20 10:53:20 nicku kernel: audit(1106178800.510:0): avc:  denied  { search } for  pid=6133 exe=/usr/sbin/httpd name=work dev=sda1 ino=5620038 scontext=user_u:system_r:httpd_t tcontext=system_u:object_r:user_home_t tclass=dir
Jan 20 10:53:20 nicku kernel: audit(1106178800.510:0): avc:  denied  { getattr } for  pid=6133 exe=/usr/sbin/httpd path=/opt/nicku/work dev=sda1 ino=5620038 scontext=user_u:system_r:httpd_t tcontext=system_u:object_r:user_home_t tclass=dir

When I do:

tail -20 /var/log/messages | audit2allow -v -i -
allow httpd_t user_home_t:dir { getattr search };
        #EXE=/usr/sbin/httpd  NAME=work   :  search
        #EXE=/usr/sbin/httpd  PATH=/opt/nicku/work   :  getattr

Where should this rule go?

I would prefer not to modify the installed
/etc/selinux/targeted/src/policy/domains/program/apache.te and
/etc/selinux/targeted/src/policy/file_contexts/program/apache.fc; I
would rather put my own customised changes in their own files so
updates to the policies can be easily installed.
-- 
Nick Urbanik   RHCE       http://nicku.org          nicku(at)nicku.org
Proud ex-member of Dept. of Information & Communications Technology in
Hong Kong IVE (Tsing Yi), Home of Visual Paradigm: Jolt Productivity
Award winner, programmed by ICT's own graduates!
GPG: 7FFA CDC7 5A77 0558 DC7A 790A 16DF EC5B BB9D 2C24    ID: BB9D2C24
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20050120/01aa1511/attachment.sig>

More information about the fedora-selinux-list mailing list