-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 05/11/2010 02:57 PM, fred.schnittke@xxxxxxxxxx wrote: > Hi: > > Mr. Walsh and Mr. Grift have replied to some of my earlier questions > regarding SELinux and Apache on a RedHat server, thank-you very much. > However, I'm still not able to get things up and running. Here's a little > history on what I've been trying to do: > > I've been following the documentation in the NSA's "Guide to the Secure > Configuration of Red Hat Enterprise Linux 5". There they do mention that > you should chroot apache. We are also using MySQL and PHP and their > documentation does not mention anything about chrooting mysql, and to be > honest, I just could not get the RedHat pre-compiled version of MySQL to > chroot, adn work with the chroot'd Apache. So I took it upon myself to > remove the pre-compiled rpm packages for Apache, MySQL, and PHP, in favor > of downloading and compiling those packages myself and running them in the > chroot's > > That worked out ok, but now to enable SELinux (and I did try your > recommendations Daniel). it seems you have to go through each of the > directories, sub-directories and files in the chroots, and set the context > to match that of those in a typical RedHat install: > > drwxr-xr-x root root system_u:object_r:device_t:s0 /chroot/dev > drwxr-xr-x root root system_u:object_r:tmp_t:s0 /chroot/etc > drwxr-xr-x root root system_u:object_r:lib_t:s0 /chroot/lib > drwxr-xr-x root root system_u:object_r:tmp_t:s0 /chroot/tmp > drwxr-xr-x root root system_u:object_r:usr_t:s0 /chroot/usr > drwxr-xr-x root root system_u:object_r:var_t:s0 /chroot/var > and the list goes on..... > > I did that for every file, directory, etc, using chcon, then added the > contexts to SELinux with semanage. > > That's fine and dandy. But now when the server reboots Apache doesn't > start. I can start it manually by running "service httpd start" (which is > a modified file for the chroot environment), but it runs httpd unconfined. > So I fooled around with: "run_init /etc/init.d/httpd start", but that asks > me for my password, then gives me an error message: > > usr/local/www/bin/httpd: error while loading shared libraries: > libssl.so.6: cannot open shared object file: Permission denied > > So, has anyone actually run Apache, MySQL, and PHP in chrooted jails in > conjunction with SELinux? > > I thought I was just following the recommendations in the NSA guide, but > man it sure is tough..... > > > > Thanks, > > > Fred Schnittke I think the problem is /chroot needs to have a label root_t apache is not allowed to search through default_t -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkvpxBUACgkQrlYvE4MpobMiUACg3UKvc47qmOqXrMaCJuVWY3UI jWcAoMcTN6ItjEXguPX9zTHiPhpvW3Rl =w6/l -----END PGP SIGNATURE----- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
