Hi:
Mr. Walsh and Mr. Grift have replied to some
of my earlier questions regarding SELinux and Apache on a RedHat server,
thank-you very much. However, I'm still not able to get things up and running.
Here's a little history on what I've been trying to do:
I've been following the documentation in
the NSA's "Guide to the Secure Configuration of Red Hat Enterprise
Linux 5". There they do mention that you should chroot apache. We
are also using MySQL and PHP and their documentation does not mention anything
about chrooting mysql, and to be honest, I just could not get the RedHat
pre-compiled version of MySQL to chroot, adn work with the chroot'd Apache.
So I took it upon myself to remove the pre-compiled rpm packages for Apache,
MySQL, and PHP, in favor of downloading and compiling those packages myself
and running them in the chroot's
That worked out ok, but now to enable SELinux
(and I did try your recommendations Daniel). it seems you have to go through
each of the directories, sub-directories and files in the chroots, and
set the context to match that of those in a typical RedHat install:
drwxr-xr-x root root system_u:object_r:device_t:s0
/chroot/dev
drwxr-xr-x root root system_u:object_r:tmp_t:s0
/chroot/etc
drwxr-xr-x root root system_u:object_r:lib_t:s0
/chroot/lib
drwxr-xr-x root root system_u:object_r:tmp_t:s0
/chroot/tmp
drwxr-xr-x root root system_u:object_r:usr_t:s0
/chroot/usr
drwxr-xr-x root root system_u:object_r:var_t:s0
/chroot/var
and the list goes on.....
I did that for every file, directory, etc,
using chcon, then added the contexts to SELinux with semanage.
That's fine and dandy. But now when the server
reboots Apache doesn't start. I can start it manually by running "service
httpd start" (which is a modified file for the chroot environment),
but it runs httpd unconfined. So I fooled around with: "run_init /etc/init.d/httpd
start", but that asks me for my password, then gives me an error message:
usr/local/www/bin/httpd: error
while loading shared libraries: libssl.so.6: cannot open shared object
file: Permission denied
So, has anyone actually run Apache, MySQL,
and PHP in chrooted jails in conjunction with SELinux?
I thought I was just following the recommendations
in the NSA guide, but man it sure is tough.....
Thanks,
Fred Schnittke
