Hi,
The following are drafts for the "Fixing Problems"[1] section. Any
comments and corrections are appreciated.
Linux Permissions
When access is denied, check standard Linux permissions. As mentioned in
Chapter 2, Introduction, most operating systems use a Discretionary
Access Control (DAC) system to control access, allowing users to control
the permissions of files that they own. SELinux policy rules are checked
after DAC rules. SELinux policy rules are not used if DAC rules deny
access first.
If access is denied and no SELinux denials are logged, use the ls -l
command to view the standard Linux permissions:
[example output]
In this example, index.html is owned by the root user and group. The
root user has read and write permissions (-rw), and members of the root
group have read permissions (-r-). Everyone else has no access (---). By
default, such permissions do not allow httpd to read this file. To
resolve this issue, use the chown command to change the owner and group.
This command must be run as the Linux root user:
# chown apache:apache /var/www/html/index.html
This assumes the default configuration, in which httpd runs as the Linux
apache user. If you run httpd with a different user, replace
apache:apache with that user.
Refer to the Fedora Documentation Project "Permissions"[2] draft for
information about managing Linux permissions.
Manual Pages for Services
Manual pages for services contain valuable information, such as what
file type to use for a given situation, and Booleans to change the
access a service has (such as httpd accessing NFS file systems). This
information may be in the standard manual page, or a manual page with
selinux prepended or appended.
For example, the httpd_selinux(8) manual page has information about what
file type to use for a given situation, as well as Booleans to allow
scripts, sharing files, accessing directories inside user home
directories, and so on. Other manual pages with SELinux information for
services include:
* Samba: the samba_selinux(8) manual page describes that files and
directories to be exported via Samba must be labeled with the
samba_share_t type, as well as Booleans to allow files labeled with
types other than samba_share_t to be exported via Samba.
* NFS: the nfs_selinux(8) manual page describes that, by default, file
systems can not be exported via NFS, and that to allow file systems to
be exported, Booleans such as nfs_export_all_ro or nfs_export_all_rw
must be turned on.
* Berkeley Internet Name Domain (BIND): the named(8) manual page
describes what file type to use for a given situation (see the Red Hat
SELinux BIND Security Profile section). The named_selinux(8) manual page
describes that, by default, named can not write to master zone files,
and to allow such access, the named_write_master_zones Boolean must be
turned on.
The information in manual pages helps you configure the correct file
types and Booleans, helping to prevent SELinux from denying access.
Cheers.
[1] 7.3. Fixing Problems
7.3.1. Linux Permissions
7.3.2. Manual Pages for Services
7.3.3. Permissive Domains
7.3.4. Searching For and Viewing Denials
7.3.5. Raw Audit Messages
7.3.6. sealert Messages
7.3.7. audit2allow
(I have not sent Permissive Domains or audit2allow to the list yet)
[2]
<http://fedoraproject.org/wiki/Docs/Drafts/AdministrationGuide/Permissions>
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
