On Thu, 2005-01-20 at 11:23 +1100, Nick Urbanik wrote: > Dear Folks, > > I'm totally new to SELinux, and am quite confused on a number of > points. > > I took the plunge and enabled SELinux on this FC3 box. > Problem is with Apache. Have you read the Fedora Apache guide? http://fedora.redhat.com/docs/selinux-apache-fc3/ It's slightly out of date but still informative, I think. > I have symlinks pointing to my home > directory, This will cause a number of problems. Many programs are given the permissions 'getattr' and 'search' on user_home_dir_t:dir, so they can access the toplevel home directory but not necessarily anything contained in it. The ":dir" part here is important, as it means the permissions are restricted to directories with that type; symlinks are not allowed. I wonder why you're symlinking into /opt, but assuming for now that's what you have to do, one solution might be to use bind mounts instead of symlinks: rm /home/nicku mkdir /home/nicku mount -obind /opt/nicku /home/nicku You can add the bind mount to /etc/fstab so it's done automatically. Another (very hackish) approach might be to label the /home/nicku symlink with a type such as usr_t; most domains have permission to read usr_t:lnk_file (i.e. symlink). That's about all I can think of, short of modifying the policy sources. > 1. How do I solve my problem about httpd access to > /opt/nicku/work/teaching/ict/ossi securely? I hope the above helps. > 2. Where should I put my modifications to the policy? If you choose to modify policy, the right solution I think is to label the /home/nicku symlink with the type user_home_dir_t, and add the permissions like: allow <domain> user_home_dir_type:lnk_file { getattr read }; Substitute particular domains such as httpd_t for <domain>. When I modify policy, I tend to put my modifications in a local.te file. > 3. What attribute should I give to the symlink /home/nicku? user_home_dir_t. > /etc/selinux/targeted/src/policy/file_contexts/misc/nicks-opt.fc: > > /opt/lost\+found(/.*)? system_u:object_r:lost_found_t > /opt/nicku -d system_u:object_r:user_home_dir_t > /opt/nicku/.+ system_u:object_r:user_home_t > /opt/ogg(/.*)? system_u:object_r:default_t > /opt/pub(/.*)? system_u:object_r:default_t Hmm; using the default_t type seems a bit wrong, but I can't think offhand of something better. > /opt/nicku/public_htm(/.*)? system_u:object_r:httpd_user_content_t Right. > THIS IS CERTAINLY IN THE WRONG PLACE? WHERE SHOULD IT GO? No, that's fine. > cat /etc/selinux/targeted/src/policy/domains/program/apache-nicks-opt-extra.te Reasonable, although I like using a well-commented local.te personally. > # to give access to /home/nicku: > # This looks BAD by removing SELinux protection of all symlinks: > allow httpd_t default_t:lnk_file { getattr read }; It doesn't remove protection of all symlinks, but it does mean that Apache can read symlinks that aren't assigned a label by the file_contexts regexps (i.e. are given the default_t type). Given that you're using default_t for a lot of data, I wouldn't recommend this permission. > # to give access to /opt/pub: > allow httpd_t var_t:lnk_file { getattr read }; I'd use bind mounts instead of permissions like this, personally. But this one probably isn't too harmful. > # to give access to /opt/nicku/{photos,work/{ossi,snm}} > allow httpd_t user_home_t:lnk_file { getattr read }; This is bad; the data should be labeled as httpd_user_content_t. > make reload complained till I touched this file: > > ls -l /etc/selinux/targeted/src/policy/file_contexts/program/apache-nicks-opt-extra.fc > -rw-r--r-- 1 root root 0 Jan 20 07:51 > /etc/selinux/targeted/src/policy/file_contexts/program/apache-nicks-opt-extra.fc Yeah; use misc/local.te instead, or the like. te files in program require a corresponding .fc file to be enabled. > What should I do to enable httpd access to /ossi? > > Here's what SELinux says: > > Jan 20 10:53:20 nicku kernel: audit(1106178800.510:0): avc: denied { search } for pid=6133 exe=/usr/sbin/httpd name=work dev=sda1 ino=5620038 scontext=user_u:system_r:httpd_t tcontext=system_u:object_r:user_home_t tclass=dir > Jan 20 10:53:20 nicku kernel: audit(1106178800.510:0): avc: denied { getattr } for pid=6133 exe=/usr/sbin/httpd path=/opt/nicku/work dev=sda1 ino=5620038 scontext=user_u:system_r:httpd_t tcontext=system_u:object_r:user_home_t tclass=dir Any data you want httpd to access needs to be one of the types outlined in the Fedora Apache/SELinux guide, such as httpd_user_content_t.
