Am Mittwoch, den 29.06.2011, 19:15 +0200 schrieb Dominick Grift:
> On Wed, 2011-06-29 at 18:57 +0200, Paul Menzel wrote:
> > I am running Debian Squeeze with SELinux and Apache.
> >
> > In Apache I configured a secured section using `AuthType Basic` with
> > `AuthUserFile /srv/site.htpasswd`. It works when the state of the system
> > is permissive. When in enforcing state the following error is logged.
> >
> > type=AVC msg=audit(1308090063.174:17742): avc: denied { getattr } for pid=1412 comm="apache2" path="/srv/www/www.example.net/foo/bar.tar.gz" dev=xvda ino=425775 scontext=unconfined_u:system_r:httpd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file
> > type=SYSCALL msg=audit(1308090063.174:17742): arch=c000003e syscall=6 success=no exit=-13 a0=7f9da985eb38 a1=7fff8da1e6f0 a2=7fff8da1e6f0 a3=1 items=0 ppid=29237 pid=1412 auid=4294967295 uid=33 gid=33 euid=33 suid=33 fsuid=33 egid=33 sgid=33 fsgid=33 tty=(none) ses=4294967295 comm="apache2" exe="/usr/lib/apache2/mpm-prefork/apache2" subj=unconfined_u:system_r:httpd_t:s0-s0:c0.c1023 key=(null)
> >
> > Is there a recommended location for these password files or a
> > recommended way what policies to set. Not being sure of the correct
> > search term for this I found plenty of sites regarding SELinux and
> > Apache but nothing related to my problem in the results. If you could
> > point me to some specific documentation that would be great too.
> If you are using a different location for your web server then it is
> best to clone the web server locations file contexts.
Understood. This is off-topic, but do password files belong to the Web
server configuration and should be stored in `/etc/apache2/`? You could
argue passwords belong to the Web site and when you move it you should
easily move the passwords with you. On the other hand the secured
directories are also listed in the Web server configuration file under
`/etc/apache2/` and therefore you cannot move the site without moving or
duplication the Web server configuration files either.
> In fedora the semanage command has a handy option to do this very
> easily:
>
> # semanage fcontext -a -e /var/www /srv/www
> # restorecon -R -v /srv/www
>
> this will clone all the file context specifications for /var/www and its
> children to apply for /srv/www as well
>
> If debian does not support this option then you would do it manually.
`semanage` is also included in Debian.
> 1. to list the file context specs for /var/www and its children:
>
> # semanage fcontext -l | grep /var/www
Thank you for this hint. Using it I could figure out that it already
includes the following policies(?).
$ sudo semanage fcontext -l | less
[…]
/srv/([^/]*/)?www(/.*)? all files system_u:object_r:httpd_sys_content_t:s0
[…]
/var/www(/.*)? all files system_u:object_r:httpd_sys_content_t:s0
[…]
Also the password file seemed to have the correct contexts(?).
$ ls -Z /srv/site.htpasswd
system_u:object_r:httpd_sys_content_t /srv/site.htpasswd
> 2. an example of how you would add a file context spec for /var/www:
>
> # semanage fcontext -a -t httpd_sys_content_t "/srv/www(/.*)?"
> # restorecon -R -v /srv/www
>
> (This is just one example)
Then looking at the file to be served in question I found out that it
had the wrong context.
$ ls -Z /srv/www/site/restricted/*
unconfined_u:object_r:user_home_t /srv/www/site/restricted/bar.tar.gz
$ sudo restorecon -v /srv/www/site/restricted/bar.tar.gz
[…]
$ ls -Z /srv/www/site/restricted/*
system_u:object_r:httpd_sys_content_t /srv/www/site/restricted/bar.tar.gz
That solved my problem. The reason seems to be that I had that file
first in my home directory and then used
sudo mv ~/bar.tar.gz /srv/www/…
to move it to the Web site directory. `mv` seems to preserve the old
SELinux contexts and I have to relabel it afterward. Is there a way to
make the relabel step obsolete?
> The issue is that objects are labelled with contexts which include types
> which are used for type enforcement. Each type has a set of properties
> that matches the characteristics of the object in relation to the
> subjects that needs to interact with it.
>
> So it is important that each object gets the proper context.
Thank you very much for your detailed explanation and writing down the
commands. That helped me a lot.
Thanks,
Paul
Attachment:
signature.asc
Description: This is a digitally signed message part
