Dear Folks, I'm totally new to SELinux, and am quite confused on a number of points. I took the plunge and enabled SELinux on this FC3 box. Problem is with Apache. I have symlinks pointing to my home directory, and to the pub directory, publicly served by Apache. $ ls -l /home/nicku /var/ftp/pub lrwxrwxrwx 1 root root 12 Oct 26 14:36 /home/nicku -> ../opt/nicku lrwxrwxrwx 1 root root 13 Oct 26 14:48 /var/ftp/pub -> ../../opt/pub ls -Zd /opt/nicku /home/nicku lrwxrwxrwx root root system_u:object_r:default_t /home/nicku -> ../opt/nicku drwx-----x nicku nicku system_u:object_r:user_home_dir_t /opt/nicku I have three main questions: 1. How do I solve my problem about httpd access to /opt/nicku/work/teaching/ict/ossi securely? 2. Where should I put my modifications to the policy? 3. What attribute should I give to the symlink /home/nicku? Here is what I did: After enabling SELinux, access to http://localhost/ossi was forbidden. I then proceeded to try to make this work. However, my fairly random messing about is certainly not right. I don't know where I should put my modifications. I would prefer not to change the original policy files, but would prefer to make new ones. Contents of /etc/selinux/targeted/src/policy/file_contexts/misc/nicks-opt.fc: /opt/lost\+found(/.*)? system_u:object_r:lost_found_t /opt/nicku -d system_u:object_r:user_home_dir_t /opt/nicku/.+ system_u:object_r:user_home_t /opt/ogg(/.*)? system_u:object_r:default_t /opt/pub(/.*)? system_u:object_r:default_t /opt/nicku/public_htm(/.*)? system_u:object_r:httpd_user_content_t /opt/backup(/.*)? system_u:object_r:default_t /opt/cdimage(/.*)? system_u:object_r:default_t /opt/nicku/photos(/.*)? system_u:object_r:httpd_user_content_t /opt/nicku/work/teaching/ict/snm(/.*)? system_u:object_r:httpd_user_content_t /opt/nicku/work/teaching/ict/ossi(/.*)? system_u:object_r:httpd_user_content_t THIS IS CERTAINLY IN THE WRONG PLACE? WHERE SHOULD IT GO? cat /etc/selinux/targeted/src/policy/domains/program/apache-nicks-opt-extra.te # Extra stuff for apache to cope with the symbolic links to # /opt/nicku and /opt/pub These came from audit2allow. The first one is certainly wrong. I should change the attribute on the symlink /home/nicku. What should I change it to? # to give access to /home/nicku: # This looks BAD by removing SELinux protection of all symlinks: allow httpd_t default_t:lnk_file { getattr read }; # to give access to /opt/pub: allow httpd_t var_t:lnk_file { getattr read }; # to give access to /opt/nicku/{photos,work/{ossi,snm}} allow httpd_t user_home_t:lnk_file { getattr read }; make reload complained till I touched this file: ls -l /etc/selinux/targeted/src/policy/file_contexts/program/apache-nicks-opt-extra.fc -rw-r--r-- 1 root root 0 Jan 20 07:51 /etc/selinux/targeted/src/policy/file_contexts/program/apache-nicks-opt-extra.fc From httpd configuration: Alias /ossi /home/nicku/work/teaching/ict/ossi <Location "/ossi"> Options Indexes MultiViews FollowSymLinks AllowOverride None Order allow,deny Allow from all </Location> What should I do to enable httpd access to /ossi? Here's what SELinux says: Jan 20 10:53:20 nicku kernel: audit(1106178800.510:0): avc: denied { search } for pid=6133 exe=/usr/sbin/httpd name=work dev=sda1 ino=5620038 scontext=user_u:system_r:httpd_t tcontext=system_u:object_r:user_home_t tclass=dir Jan 20 10:53:20 nicku kernel: audit(1106178800.510:0): avc: denied { getattr } for pid=6133 exe=/usr/sbin/httpd path=/opt/nicku/work dev=sda1 ino=5620038 scontext=user_u:system_r:httpd_t tcontext=system_u:object_r:user_home_t tclass=dir When I do: tail -20 /var/log/messages | audit2allow -v -i - allow httpd_t user_home_t:dir { getattr search }; #EXE=/usr/sbin/httpd NAME=work : search #EXE=/usr/sbin/httpd PATH=/opt/nicku/work : getattr Where should this rule go? I would prefer not to modify the installed /etc/selinux/targeted/src/policy/domains/program/apache.te and /etc/selinux/targeted/src/policy/file_contexts/program/apache.fc; I would rather put my own customised changes in their own files so updates to the policies can be easily installed. -- Nick Urbanik RHCE http://nicku.org nicku(at)nicku.org Proud ex-member of Dept. of Information & Communications Technology in Hong Kong IVE (Tsing Yi), Home of Visual Paradigm: Jolt Productivity Award winner, programmed by ICT's own graduates! GPG: 7FFA CDC7 5A77 0558 DC7A 790A 16DF EC5B BB9D 2C24 ID: BB9D2C24
Attachment:
pgpCIY15Nh336.pgp
Description: PGP signature
