On Sun, Mar 21, 2010 at 08:21:02AM -0800, Toby Ovod-Everett wrote: Here are some things to take into consideration: 1. For the perspective of SELinux we do not have to do anything to give users access since in a vanilla Fedora 12 configuration users are unconfined (exempted for SELinux). 2. We can give Samba access to read and write any content by setting boolean samba_export_all_rw true. This means that we only have to take care of http. Using the samba_export_all_rw boolean is essential i believe to meet your exotic requirements. > There are three major directory trees that impact the photo system: > > /data/photos - contains the actual digital images in /data/photos/images and > the information about them in /data/photos/info. Context from / is: > > dr-xr-xr-x. root root system_u:object_r:root_t:s0 . > drwxr-xr-x. root root system_u:object_r:public_content_rw_t:s0 data > drwxrwsr-x. root photos system_u:object_r:public_content_rw_t:s0 photos > > /data/photos needs to be r/w for my user account (which is a member of photos) As said above by default users are unconfined wrt SELinux in a stock Fedora 12 config thus no need to do anything here. > and readable for apache. I generally access /data/photos through Samba from > my user machine which runs (gasp) Windows 7. You should probably label data and everything below data type httpd_sys_content_t. httpd is allowed to read that type. > > > /var/www/cgi-bin/photos - contains the Perl scripts that implement the web > frontend for viewing the photos (loading photos is all done from the Command > Line). I have httpd_enable_cgi=>on in order to support this. Context is > unchanged from default configs. Desire r/w access through Samba from my user > machine for editing the scripts using Notepad++. Leave this as is. Apache can run scripts labeled httpd_sys_script_exec_t in the httpd_sys_script_t domain. Samba can read and write any content if samba_export_all_rw is set. The use of the samba_export_all_rw boolean is discouraged since obviously samba will be able to write almost any file. However you do not have much choice unless you modify policy in a major way. I would probably use openssh to edit these scripts. > > /var/www/html/thumbnails - contains directories of thumbnails for the photos. > These are persistently cached in this tree and automatically generated or > updated as required by the Perl scripts above when required. This data > doesn't have to persist across rebuilds. There are different subdirectories > for the different supported thumbnail sizes and each subdir and needs to be > r/w for apache. Context from / is: > dr-xr-xr-x. root root system_u:object_r:root_t:s0 . > drwxr-xr-x. root root system_u:object_r:var_t:s0 var > drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 www > drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 html > drwxrwsr-x. root root unconfined_u:object_r:httpd_sys_content_t:s0 thumbnails > drwxrwsr-x. root apache unconfined_u:object_r:public_content_rw_t:s0 180x180 If your perl webscript needs to create files in exisiting sub directories in tumbnails/ Then i would label these sub directories type httpd_sys_content_rw_t and set httpd_anon_write to true. Samba will be able to read and write to these files and types since the samba_export_all_rw allows samba to read and write almost any type. > > One of the main issues is that I need Samba to have r/w to a bunch of the > trees that apache needs access to. Current Samba SELinux config is > samba_enable_home_dirs=>on, allow_smbd_anon_write=>on, > samba_export_all_rw=>on. I'd like to be able to pull the latter eventually, > but then I need to be able to figure out how to give Samba r/w access to the > cgi-bin directory. If you set samba_export_all_rw to true then you do not need the public_content_(rw)_types. Since samba will be albe to read and write almost any file and type. In that case i believe you can set allow_samba_anon_write to false. > > Now on to the "what broke" question. Somewhere in the last two months (it'si > been a while since I've added photos), I lost the ability to use Samba to > access /data/photos. Generally I access it through a symlink in my homedir: > lrwxrwxrwx. 1 toby toby 12 2008-11-28 15:05 photos -> /data/photos > > This has stopped working. Things I tried: > * Verifying symlinks. I have Mail -> mail in my homedir and that still works. > * Verifying SELinux settings conform to above model. > * Creating a separate share for /data/photos. This worked. If this is at all SELinux related ( see if it works in permissive mode to rule in or rule out SELinux) then it would help if you enclose an AVC denial. Some denials are hidden use semodule -DB to expose hidden denials and semodule -B to go back to the original state. > I Obviously have a workaround now, but as a solution it's annoying, because it > requires me to create separate shares for all of the things I want to access > from my Windows machine (/data/photos, /var/www/cgi-bin/photos, and > /var/www/html/public_html/toby) and then map to them all separately on my > Windows machine on separate drive letters, instead of having a single share > that accesses everything. > > I'm beginning to suspect the problem is Samba, not SELinux, because my > attempts at using semodule -DB and ausearch (both avc and user_avc) don't turn > up any events that correlate with attempts to access those directories through > the symlinks. At this point, I'm beginning to suspect a fix in Samba 3.4.6 or > 3.4.7 related to the "Samba Remote Directory Traversal" exploit that was > announced in early February, but I'm hitting my patience limit (my 3 year old > is ready for breakfast), so I'm going to stop writing and go with my > workaround for now. But if anyone has advice, please offer! I would probably attempt to implement a solution that does not require samba_export_all_rw to be set true since that is very coarse. However with your requirements this is the only simple way. I would probably use openssh where ever possible. that may be just enough to be able to set samba_export_all_rw to false. Another solution would be to perform serious surgery to fedora policy. You would create special types and a special web app domain and give both apache and samba the permissions required. > > --Toby Ovod-Everett > -- > selinux mailing list > selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux
Attachment:
pgpR2d474QcJi.pgp
Description: PGP signature
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
