On 3/22/10, selinux-request@xxxxxxxxxxxxxxxxxxxxxxx <selinux-request@xxxxxxxxxxxxxxxxxxxxxxx> wrote: > Send selinux mailing list submissions to > selinux@xxxxxxxxxxxxxxxxxxxxxxx > > To subscribe or unsubscribe via the World Wide Web, visit > https://admin.fedoraproject.org/mailman/listinfo/selinux > or, via email, send a message with subject or body 'help' to > selinux-request@xxxxxxxxxxxxxxxxxxxxxxx > > You can reach the person managing the list at > selinux-owner@xxxxxxxxxxxxxxxxxxxxxxx > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of selinux digest..." > > > Today's Topics: > > 1. Looking for SELinux advice regarding samba, apache > (Toby Ovod-Everett) > 2. Re: Looking for SELinux advice regarding samba, apache > (Dominick Grift) > 3. selinux-policy.spec: Buildrequires missing make and gcc. > (Dominick Grift) > 4. Re: selinux-policy.spec: Buildrequires missing make and gcc. > (Chuck Anderson) > 5. Re: selinux-policy.spec: Buildrequires missing make and gcc. > (Dominick Grift) > 6. Re: selinux-policy.spec: Buildrequires missing make and gcc. > (Jason L Tibbitts III) > 7. Re: Looking for SELinux advice regarding samba, apache > (Paul Howarth) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Sun, 21 Mar 2010 08:21:02 -0800 > From: Toby Ovod-Everett <toby@xxxxxxxxxxxxxxxx> > Subject: Looking for SELinux advice regarding samba, apache > To: selinux@xxxxxxxxxxxxxxxxxxxxxxx > Message-ID: <20100321162102.GA1875@xxxxxxxxxxxxxxxxxxxx> > Content-Type: text/plain; charset=us-ascii > > Two issues in this e-mail. The first is a general request for advice on how > to structure things for a home-grown photo system I developed - I had it > working, now the SELinux config has some issues, etc. The second is that > something changed in libselinux or selinux-policy since January 17th and > it's > causing Samba some issues. > > So, here's a brief overview of the photo archive system I developed, the > issues, and how I have them currently resolved. > > My server machine runs Fedora 12 with a pretty vanilla configuration and I > run > yum update regularly. I have two partitions - /, which contains the OS > install, user directories, etc., and /data, which I use for some large data > sets that I don't want to have to copy when rebuilding the machine during OS > upgrades. In particular, the major large data set is /data/photos. > > There are three major directory trees that impact the photo system: > > /data/photos - contains the actual digital images in /data/photos/images and > the information about them in /data/photos/info. Context from / is: > > dr-xr-xr-x. root root system_u:object_r:root_t:s0 . > drwxr-xr-x. root root system_u:object_r:public_content_rw_t:s0 data > drwxrwsr-x. root photos system_u:object_r:public_content_rw_t:s0 photos > > /data/photos needs to be r/w for my user account (which is a member of > photos) > and readable for apache. I generally access /data/photos through Samba from > my user machine which runs (gasp) Windows 7. > > > /var/www/cgi-bin/photos - contains the Perl scripts that implement the web > frontend for viewing the photos (loading photos is all done from the Command > Line). I have httpd_enable_cgi=>on in order to support this. Context is > unchanged from default configs. Desire r/w access through Samba from my > user > machine for editing the scripts using Notepad++. > > > /var/www/html/thumbnails - contains directories of thumbnails for the > photos. > These are persistently cached in this tree and automatically generated or > updated as required by the Perl scripts above when required. This data > doesn't have to persist across rebuilds. There are different subdirectories > for the different supported thumbnail sizes and each subdir and needs to be > r/w for apache. Context from / is: > dr-xr-xr-x. root root system_u:object_r:root_t:s0 . > drwxr-xr-x. root root system_u:object_r:var_t:s0 var > drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 www > drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 html > drwxrwsr-x. root root unconfined_u:object_r:httpd_sys_content_t:s0 > thumbnails > drwxrwsr-x. root apache unconfined_u:object_r:public_content_rw_t:s0 180x180 > > > One of the main issues is that I need Samba to have r/w to a bunch of the > trees that apache needs access to. Current Samba SELinux config is > samba_enable_home_dirs=>on, allow_smbd_anon_write=>on, > samba_export_all_rw=>on. I'd like to be able to pull the latter eventually, > but then I need to be able to figure out how to give Samba r/w access to the > cgi-bin directory. > > > Now on to the "what broke" question. Somewhere in the last two months (it's > been a while since I've added photos), I lost the ability to use Samba to > access /data/photos. Generally I access it through a symlink in my homedir: > lrwxrwxrwx. 1 toby toby 12 2008-11-28 15:05 photos -> /data/photos > > This has stopped working. Things I tried: > * Verifying symlinks. I have Mail -> mail in my homedir and that still > works. > * Verifying SELinux settings conform to above model. > * Creating a separate share for /data/photos. This worked. > > I Obviously have a workaround now, but as a solution it's annoying, because > it > requires me to create separate shares for all of the things I want to access > from my Windows machine (/data/photos, /var/www/cgi-bin/photos, and > /var/www/html/public_html/toby) and then map to them all separately on my > Windows machine on separate drive letters, instead of having a single share > that accesses everything. > > I'm beginning to suspect the problem is Samba, not SELinux, because my > attempts at using semodule -DB and ausearch (both avc and user_avc) don't > turn > up any events that correlate with attempts to access those directories > through > the symlinks. At this point, I'm beginning to suspect a fix in Samba 3.4.6 > or > 3.4.7 related to the "Samba Remote Directory Traversal" exploit that was > announced in early February, but I'm hitting my patience limit (my 3 year > old > is ready for breakfast), so I'm going to stop writing and go with my > workaround for now. But if anyone has advice, please offer! > > --Toby Ovod-Everett > > > ------------------------------ > > Message: 2 > Date: Sun, 21 Mar 2010 18:17:51 +0100 > From: Dominick Grift <domg472@xxxxxxxxx> > Subject: Re: Looking for SELinux advice regarding samba, apache > To: selinux@xxxxxxxxxxxxxxxxxxxxxxx > Message-ID: <20100321171750.GA20876@xxxxxxxxxxxxxxxxxxxxx> > Content-Type: text/plain; charset="us-ascii" > > On Sun, Mar 21, 2010 at 08:21:02AM -0800, Toby Ovod-Everett wrote: > > Here are some things to take into consideration: > > 1. For the perspective of SELinux we do not have to do anything to give > users access since in a vanilla Fedora 12 > configuration users are unconfined (exempted for SELinux). > > 2. We can give Samba access to read and write any content by setting boolean > samba_export_all_rw true. > > This means that we only have to take care of http. > > Using the samba_export_all_rw boolean is essential i believe to meet your > exotic requirements. > >> There are three major directory trees that impact the photo system: >> >> /data/photos - contains the actual digital images in /data/photos/images >> and >> the information about them in /data/photos/info. Context from / is: >> >> dr-xr-xr-x. root root system_u:object_r:root_t:s0 . >> drwxr-xr-x. root root system_u:object_r:public_content_rw_t:s0 data >> drwxrwsr-x. root photos system_u:object_r:public_content_rw_t:s0 photos >> >> /data/photos needs to be r/w for my user account (which is a member of >> photos) > > As said above by default users are unconfined wrt SELinux in a stock Fedora > 12 config thus no need to do anything here. > >> and readable for apache. I generally access /data/photos through Samba >> from >> my user machine which runs (gasp) Windows 7. > > You should probably label data and everything below data type > httpd_sys_content_t. httpd is allowed to read that type. > >> >> >> /var/www/cgi-bin/photos - contains the Perl scripts that implement the web >> frontend for viewing the photos (loading photos is all done from the >> Command >> Line). I have httpd_enable_cgi=>on in order to support this. Context is >> unchanged from default configs. Desire r/w access through Samba from my >> user >> machine for editing the scripts using Notepad++. > > Leave this as is. Apache can run scripts labeled httpd_sys_script_exec_t in > the httpd_sys_script_t domain. Samba can read and write any content if > samba_export_all_rw is set. > > The use of the samba_export_all_rw boolean is discouraged since obviously > samba will be able to write almost any file. > However you do not have much choice unless you modify policy in a major way. > I would probably use openssh to edit these scripts. > >> >> /var/www/html/thumbnails - contains directories of thumbnails for the >> photos. >> These are persistently cached in this tree and automatically generated or >> updated as required by the Perl scripts above when required. This data >> doesn't have to persist across rebuilds. There are different >> subdirectories >> for the different supported thumbnail sizes and each subdir and needs to >> be >> r/w for apache. Context from / is: >> dr-xr-xr-x. root root system_u:object_r:root_t:s0 . >> drwxr-xr-x. root root system_u:object_r:var_t:s0 var >> drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 www >> drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 html >> drwxrwsr-x. root root unconfined_u:object_r:httpd_sys_content_t:s0 >> thumbnails >> drwxrwsr-x. root apache unconfined_u:object_r:public_content_rw_t:s0 >> 180x180 > > If your perl webscript needs to create files in exisiting sub directories in > tumbnails/ Then i would label these sub directories type > httpd_sys_content_rw_t and set httpd_anon_write to true. > > Samba will be able to read and write to these files and types since the > samba_export_all_rw allows samba to read and write almost any type. > >> >> One of the main issues is that I need Samba to have r/w to a bunch of the >> trees that apache needs access to. Current Samba SELinux config is >> samba_enable_home_dirs=>on, allow_smbd_anon_write=>on, >> samba_export_all_rw=>on. I'd like to be able to pull the latter >> eventually, >> but then I need to be able to figure out how to give Samba r/w access to >> the >> cgi-bin directory. > > If you set samba_export_all_rw to true then you do not need the > public_content_(rw)_types. Since samba will be albe to read and write almost > any file and type. In that case i believe you can set allow_samba_anon_write > to false. > >> >> Now on to the "what broke" question. Somewhere in the last two months >> (it'si >> been a while since I've added photos), I lost the ability to use Samba to >> access /data/photos. Generally I access it through a symlink in my >> homedir: >> lrwxrwxrwx. 1 toby toby 12 2008-11-28 15:05 photos -> /data/photos >> >> This has stopped working. Things I tried: >> * Verifying symlinks. I have Mail -> mail in my homedir and that still >> works. >> * Verifying SELinux settings conform to above model. >> * Creating a separate share for /data/photos. This worked. > > If this is at all SELinux related ( see if it works in permissive mode to > rule in or rule out SELinux) then it would > help if you enclose an AVC denial. Some denials are hidden use semodule -DB > to expose hidden denials and semodule -B to go back to the original state. > >> I Obviously have a workaround now, but as a solution it's annoying, >> because it >> requires me to create separate shares for all of the things I want to >> access >> from my Windows machine (/data/photos, /var/www/cgi-bin/photos, and >> /var/www/html/public_html/toby) and then map to them all separately on my >> Windows machine on separate drive letters, instead of having a single >> share >> that accesses everything. >> >> I'm beginning to suspect the problem is Samba, not SELinux, because my >> attempts at using semodule -DB and ausearch (both avc and user_avc) don't >> turn >> up any events that correlate with attempts to access those directories >> through >> the symlinks. At this point, I'm beginning to suspect a fix in Samba >> 3.4.6 or >> 3.4.7 related to the "Samba Remote Directory Traversal" exploit that was >> announced in early February, but I'm hitting my patience limit (my 3 year >> old >> is ready for breakfast), so I'm going to stop writing and go with my >> workaround for now. But if anyone has advice, please offer! > > I would probably attempt to implement a solution that does not require > samba_export_all_rw to be set true since that > is very coarse. > > However with your requirements this is the only simple way. > > I would probably use openssh where ever possible. that may be just enough to > be able to set samba_export_all_rw to false. > > Another solution would be to perform serious surgery to fedora policy. You > would create special types and a special web app domain and give both apache > and samba the permissions required. > >> >> --Toby Ovod-Everett >> -- >> selinux mailing list >> selinux@xxxxxxxxxxxxxxxxxxxxxxx >> https://admin.fedoraproject.org/mailman/listinfo/selinux > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: not available > Type: application/pgp-signature > Size: 198 bytes > Desc: not available > Url : > http://lists.fedoraproject.org/pipermail/selinux/attachments/20100321/db43dc28/attachment-0001.bin > > ------------------------------ > > Message: 3 > Date: Sun, 21 Mar 2010 22:18:20 +0100 > From: Dominick Grift <domg472@xxxxxxxxx> > Subject: selinux-policy.spec: Buildrequires missing make and gcc. > To: selinux@xxxxxxxxxxxxxxxxxxxxxxx > Message-ID: <20100321211819.GA25304@xxxxxxxxxxxxxxxxxxxxx> > Content-Type: text/plain; charset="us-ascii" > > I tried to build a RPM package using Fedoras spec file on a minimal fedora > system and it blew up on cc. > So i looked into the spec file that is supplies by tresys in refpolicy and > found that it has buildrequires for make and gcc. > Fedora spec does not include those build requires. > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: not available > Type: application/pgp-signature > Size: 198 bytes > Desc: not available > Url : > http://lists.fedoraproject.org/pipermail/selinux/attachments/20100321/495db24d/attachment-0001.bin > > ------------------------------ > > Message: 4 > Date: Sun, 21 Mar 2010 17:23:28 -0400 > From: Chuck Anderson <cra@xxxxxxx> > Subject: Re: selinux-policy.spec: Buildrequires missing make and gcc. > To: selinux@xxxxxxxxxxxxxxxxxxxxxxx > Message-ID: <20100321212328.GA25379@xxxxxxxxxxxxxxxxx> > Content-Type: text/plain; charset=us-ascii > > On Sun, Mar 21, 2010 at 10:18:20PM +0100, Dominick Grift wrote: >> I tried to build a RPM package using Fedoras spec file on a minimal fedora >> system and it blew up on cc. >> So i looked into the spec file that is supplies by tresys in refpolicy and >> found that it has buildrequires for make and gcc. >> Fedora spec does not include those build requires. > > Not required by Fedora: > > http://fedoraproject.org/wiki/PackagingGuidelines#Exceptions_2 > > > ------------------------------ > > Message: 5 > Date: Sun, 21 Mar 2010 23:05:09 +0100 > From: Dominick Grift <domg472@xxxxxxxxx> > Subject: Re: selinux-policy.spec: Buildrequires missing make and gcc. > To: selinux@xxxxxxxxxxxxxxxxxxxxxxx > Message-ID: <20100321220508.GB25304@xxxxxxxxxxxxxxxxxxxxx> > Content-Type: text/plain; charset="us-ascii" > > On Sun, Mar 21, 2010 at 05:23:28PM -0400, Chuck Anderson wrote: >> On Sun, Mar 21, 2010 at 10:18:20PM +0100, Dominick Grift wrote: >> > I tried to build a RPM package using Fedoras spec file on a minimal >> > fedora system and it blew up on cc. >> > So i looked into the spec file that is supplies by tresys in refpolicy >> > and found that it has buildrequires for make and gcc. >> > Fedora spec does not include those build requires. >> >> Not required by Fedora: > well in that case fedora selinux-policy.spec should remove its gawk and > bzip2 buildrequires since they are also in that list. Anyways i decided to > just add the build requires (gcc and make) because i did stumble upon the > issue and i do not see what harm it does to include them. > >> >> http://fedoraproject.org/wiki/PackagingGuidelines#Exceptions_2 >> -- >> selinux mailing list >> selinux@xxxxxxxxxxxxxxxxxxxxxxx >> https://admin.fedoraproject.org/mailman/listinfo/selinux > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: not available > Type: application/pgp-signature > Size: 198 bytes > Desc: not available > Url : > http://lists.fedoraproject.org/pipermail/selinux/attachments/20100321/5a72db99/attachment-0001.bin > > ------------------------------ > > Message: 6 > Date: Sun, 21 Mar 2010 17:08:27 -0500 > From: "Jason L Tibbitts III" <tibbs@xxxxxxxxxxx> > Subject: Re: selinux-policy.spec: Buildrequires missing make and gcc. > To: Dominick Grift <domg472@xxxxxxxxx> > Cc: selinux@xxxxxxxxxxxxxxxxxxxxxxx > Message-ID: <ufafx3tgwf8.fsf@xxxxxxxxxxxxxxxxxxxxx> > Content-Type: text/plain; charset=us-ascii > >>>>>> "DG" == Dominick Grift <domg472@xxxxxxxxx> writes: > > DG> well in that case fedora selinux-policy.spec should remove its gawk > DG> and bzip2 buildrequires since they are also in that list. > > The phrase "is not required" does not have the same meaning as "is > prohibited". > > - J< > > > ------------------------------ > > Message: 7 > Date: Mon, 22 Mar 2010 09:18:48 +0000 > From: Paul Howarth <paul@xxxxxxxxxxxx> > Subject: Re: Looking for SELinux advice regarding samba, apache > To: selinux@xxxxxxxxxxxxxxxxxxxxxxx > Message-ID: <4BA735F8.20305@xxxxxxxxxxxx> > Content-Type: text/plain; charset=UTF-8; format=flowed > > On 21/03/10 16:21, Toby Ovod-Everett wrote: >> Now on to the "what broke" question. Somewhere in the last two months >> (it's >> been a while since I've added photos), I lost the ability to use Samba to >> access /data/photos. Generally I access it through a symlink in my >> homedir: >> lrwxrwxrwx. 1 toby toby 12 2008-11-28 15:05 photos -> /data/photos >> >> This has stopped working. Things I tried: >> * Verifying symlinks. I have Mail -> mail in my homedir and that still >> works. >> * Verifying SELinux settings conform to above model. >> * Creating a separate share for /data/photos. This worked. >> >> I Obviously have a workaround now, but as a solution it's annoying, >> because it >> requires me to create separate shares for all of the things I want to >> access >> from my Windows machine (/data/photos, /var/www/cgi-bin/photos, and >> /var/www/html/public_html/toby) and then map to them all separately on my >> Windows machine on separate drive letters, instead of having a single >> share >> that accesses everything. > > In your samba config, do you have any settings for: > > unix extentions > follow symlinks > wide links > > I believe you need the following to be able to follow symlinks outside > of the directory tree that is shared using samba: > > unix extensions = no > follow symlinks = yes > wide links = yes > > Paul. > > > ------------------------------ > > -- > selinux mailing list > selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux > > End of selinux Digest, Vol 73, Issue 20 > *************************************** > -- Sent from my mobile device NEERAJ VISHWAKARMA -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
