Hi,
I am trying to set contexts on httpd files on a server running CentOS release 6.4 (Final). The server has several httpd running serving different hosts.
The directory tree is : /WEBS/client_name/service_name/ contains configuration files, documents to serve, ... /WEBLOGS/client_name/service_name/ contains httpd logs /WEBDATA/client_name/service_name/ contains datas
Here are the rules I wrote : [root@odbfi007v ~]# semanage fcontext -l | grep WEB /WEBDATA/lost+found(/.*)? all files system_u:object_r:lost_found_t:s0 /WEBLOGS(/.*) all files system_u:object_r:httpd_log_t:s0 /WEBLOGS/lost+found(/.*)? all files system_u:object_r:lost_found_t:s0 /WEBS/[^/]+/[^/]+/conf(/.*)? all files system_u:object_r:httpd_config_t:s0 /WEBS/[^/]+/[^/]+/docs(/.*)? all files system_u:object_r:httpd_sys_content_t:s0 /WEBS/[^/]+/[^/]+/logs all files system_u:object_r:httpd_log_t:s0 /WEBS/lost+found(/.*)? all files system_u:object_r:lost_found_t:s0
I would like to set a default type on /WEBS and his subfolders: semanage fcontext -a -t httpd_sys_content_t '/WEBS(/.*)?' restorecon -Rv /WEBS* However, this command sets the type httpd_sys_content_t recursively on everything in /WEBS What is the priority between file context rules? I thought more precise rules will prevail on others.
Regards,
Hervé
________________________________
Ce message et les pièces jointes sont confidentiels et réservés à l'usage exclusif de ses destinataires. Il peut également être protégé par le secret professionnel. Si vous recevez ce message par erreur, merci d'en avertir immédiatement l'expéditeur et de le détruire. L'intégrité du message ne pouvant être assurée sur Internet, la responsabilité de Worldline ne pourra être recherchée quant au contenu de ce message. Bien que les meilleurs efforts soient faits pour maintenir cette transmission exempte de tout virus, l'expéditeur ne donne aucune garantie à cet égard et sa responsabilité ne saurait être recherchée pour tout dommage résultant d'un virus transmis.
This e-mail and the documents attached are confidential and intended solely for the addressee; it may also be privileged. If you receive this e-mail in error, please notify the sender immediately and destroy it. As its integrity cannot be secured on the Internet, the Worldline liability cannot be triggered for the message content. Although the sender endeavours to maintain a computer virus-free network, the sender does not warrant that this transmission is virus-free and will not be liable for any damages resulting from any virus transmitted.
On Mon, 2013-11-18 at 15:22 +0100, Vidalie Hervé wrote:
I would like to set a default type on /WEBS and his subfolders: semanage fcontext -a -t httpd_sys_content_t '/WEBS(/.*)?' restorecon -Rv /WEBS* However, this command sets the type httpd_sys_content_t recursively on everything in /WEBS What is the priority between file context rules? I thought more precise rules will prevail on others.
I can't answer your last question since i was under the same impression but:
You can use:
semanage fcontext -m -t httpd_sys_content_t -f -d '/WEBS(/.*)?'
To modify the spec to make it apply to directories only (note the -f -d)
This will unfortunately put an unwanted type on some subdirectories (for example on /WEBS/client/service/conf) and won't set the type httpd_sys_content_t on my untyped files.
-----Message d'origine----- De : Dominick Grift [mailto:dominick.grift@gmail.com] Envoyé : lundi 18 novembre 2013 15:28 À : Vidalie Hervé Cc : selinux@lists.fedoraproject.org Objet : Re: priority between file context rules
On Mon, 2013-11-18 at 15:22 +0100, Vidalie Hervé wrote:
I would like to set a default type on /WEBS and his subfolders: semanage fcontext -a -t httpd_sys_content_t '/WEBS(/.*)?' restorecon -Rv /WEBS* However, this command sets the type httpd_sys_content_t recursively on everything in /WEBS What is the priority between file context rules? I thought more precise rules will prevail on others.
I can't answer your last question since i was under the same impression but:
You can use:
semanage fcontext -m -t httpd_sys_content_t -f -d '/WEBS(/.*)?'
To modify the spec to make it apply to directories only (note the -f -d)
Ce message et les pièces jointes sont confidentiels et réservés à l'usage exclusif de ses destinataires. Il peut également être protégé par le secret professionnel. Si vous recevez ce message par erreur, merci d'en avertir immédiatement l'expéditeur et de le détruire. L'intégrité du message ne pouvant être assurée sur Internet, la responsabilité de Worldline ne pourra être recherchée quant au contenu de ce message. Bien que les meilleurs efforts soient faits pour maintenir cette transmission exempte de tout virus, l'expéditeur ne donne aucune garantie à cet égard et sa responsabilité ne saurait être recherchée pour tout dommage résultant d'un virus transmis.
This e-mail and the documents attached are confidential and intended solely for the addressee; it may also be privileged. If you receive this e-mail in error, please notify the sender immediately and destroy it. As its integrity cannot be secured on the Internet, the Worldline liability cannot be triggered for the message content. Although the sender endeavours to maintain a computer virus-free network, the sender does not warrant that this transmission is virus-free and will not be liable for any damages resulting from any virus transmitted.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 11/18/2013 09:35 AM, Vidalie Hervé wrote:
This will unfortunately put an unwanted type on some subdirectories (for example on /WEBS/client/service/conf) and won't set the type httpd_sys_content_t on my untyped files.
-----Message d'origine----- De : Dominick Grift [mailto:dominick.grift@gmail.com] Envoyé : lundi 18 novembre 2013 15:28 À : Vidalie Hervé Cc : selinux@lists.fedoraproject.org Objet : Re: priority between file context rules
On Mon, 2013-11-18 at 15:22 +0100, Vidalie Hervé wrote:
I would like to set a default type on /WEBS and his subfolders: semanage fcontext -a -t httpd_sys_content_t '/WEBS(/.*)?' restorecon -Rv /WEBS* However, this command sets the type httpd_sys_content_t recursively on everything in /WEBS What is the priority between file context rules? I thought more precise rules will prevail on others.
I can't answer your last question since i was under the same impression but:
You can use:
semanage fcontext -m -t httpd_sys_content_t -f -d '/WEBS(/.*)?'
To modify the spec to make it apply to directories only (note the -f -d)
Ce message et les pièces jointes sont confidentiels et réservés à l'usage exclusif de ses destinataires. Il peut également être protégé par le secret professionnel. Si vous recevez ce message par erreur, merci d'en avertir immédiatement l'expéditeur et de le détruire. L'intégrité du message ne pouvant être assurée sur Internet, la responsabilité de Worldline ne pourra être recherchée quant au contenu de ce message. Bien que les meilleurs efforts soient faits pour maintenir cette transmission exempte de tout virus, l'expéditeur ne donne aucune garantie à cet égard et sa responsabilité ne saurait être recherchée pour tout dommage résultant d'un virus transmis.
This e-mail and the documents attached are confidential and intended solely for the addressee; it may also be privileged. If you receive this e-mail in error, please notify the sender immediately and destroy it. As its integrity cannot be secured on the Internet, the Worldline liability cannot be triggered for the message content. Although the sender endeavours to maintain a computer virus-free network, the sender does not warrant that this transmission is virus-free and will not be liable for any damages resulting from any virus transmitted. -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
Local changes will win. Which is what you are seeing. I think there is an open bug on last change winning, when adding file context. So you want to add your general change first.
Thanks for the answer.
I have another question : I put my log files in a dir labeled httpd_log_t and I got this errors : Nov 18 17:01:02 odbfi007v kernel: type=1400 audit(1384790462.366:9): avc: denied { remove_name } for pid=1483 comm="httpd" name="httpd.pid" dev=dm-12 ino=55301 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_log_t:s0 tclass=dir Nov 18 17:01:02 odbfi007v kernel: type=1400 audit(1384790462.372:10): avc: denied { unlink } for pid=1483 comm="httpd" name="httpd.pid" dev=dm-12 ino=55301 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_log_t:s0 tclass=file
Is it due to a misconfiguration?
Hervé
-----Message d'origine----- De : Daniel J Walsh [mailto:dwalsh@redhat.com] Envoyé : lundi 18 novembre 2013 17:12 À : Vidalie Hervé; Dominick Grift Cc : selinux@lists.fedoraproject.org Objet : Re: priority between file context rules
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 11/18/2013 09:35 AM, Vidalie Hervé wrote:
This will unfortunately put an unwanted type on some subdirectories (for example on /WEBS/client/service/conf) and won't set the type httpd_sys_content_t on my untyped files.
-----Message d'origine----- De : Dominick Grift [mailto:dominick.grift@gmail.com] Envoyé : lundi 18 novembre 2013 15:28 À : Vidalie Hervé Cc : selinux@lists.fedoraproject.org Objet : Re: priority between file context rules
On Mon, 2013-11-18 at 15:22 +0100, Vidalie Hervé wrote:
I would like to set a default type on /WEBS and his subfolders: semanage fcontext -a -t httpd_sys_content_t '/WEBS(/.*)?' restorecon -Rv /WEBS* However, this command sets the type httpd_sys_content_t recursively on everything in /WEBS What is the priority between file context rules? I thought more precise rules will prevail on others.
I can't answer your last question since i was under the same impression but:
You can use:
semanage fcontext -m -t httpd_sys_content_t -f -d '/WEBS(/.*)?'
To modify the spec to make it apply to directories only (note the -f -d)
Ce message et les pièces jointes sont confidentiels et réservés à l'usage exclusif de ses destinataires. Il peut également être protégé par le secret professionnel. Si vous recevez ce message par erreur, merci d'en avertir immédiatement l'expéditeur et de le détruire. L'intégrité du message ne pouvant être assurée sur Internet, la responsabilité de Worldline ne pourra être recherchée quant au contenu de ce message. Bien que les meilleurs efforts soient faits pour maintenir cette transmission exempte de tout virus, l'expéditeur ne donne aucune garantie à cet égard et sa responsabilité ne saurait être recherchée pour tout dommage résultant d'un virus transmis.
This e-mail and the documents attached are confidential and intended solely for the addressee; it may also be privileged. If you receive this e-mail in error, please notify the sender immediately and destroy it. As its integrity cannot be secured on the Internet, the Worldline liability cannot be triggered for the message content. Although the sender endeavours to maintain a computer virus-free network, the sender does not warrant that this transmission is virus-free and will not be liable for any damages resulting from any virus transmitted. -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
Local changes will win. Which is what you are seeing. I think there is an open bug on last change winning, when adding file context. So you want to add your general change first.
Ce message et les pièces jointes sont confidentiels et réservés à l'usage exclusif de ses destinataires. Il peut également être protégé par le secret professionnel. Si vous recevez ce message par erreur, merci d'en avertir immédiatement l'expéditeur et de le détruire. L'intégrité du message ne pouvant être assurée sur Internet, la responsabilité de Worldline ne pourra être recherchée quant au contenu de ce message. Bien que les meilleurs efforts soient faits pour maintenir cette transmission exempte de tout virus, l'expéditeur ne donne aucune garantie à cet égard et sa responsabilité ne saurait être recherchée pour tout dommage résultant d'un virus transmis.
This e-mail and the documents attached are confidential and intended solely for the addressee; it may also be privileged. If you receive this e-mail in error, please notify the sender immediately and destroy it. As its integrity cannot be secured on the Internet, the Worldline liability cannot be triggered for the message content. Although the sender endeavours to maintain a computer virus-free network, the sender does not warrant that this transmission is virus-free and will not be liable for any damages resulting from any virus transmitted.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 11/18/2013 11:48 AM, Vidalie Hervé wrote:
Thanks for the answer.
I have another question : I put my log files in a dir labeled httpd_log_t and I got this errors : Nov 18 17:01:02 odbfi007v kernel: type=1400 audit(1384790462.366:9): avc: denied { remove_name } for pid=1483 comm="httpd" name="httpd.pid" dev=dm-12 ino=55301 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_log_t:s0 tclass=dir Nov 18 17:01:02 odbfi007v kernel: type=1400 audit(1384790462.372:10): avc: denied { unlink } for pid=1483 comm="httpd" name="httpd.pid" dev=dm-12 ino=55301 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_log_t:s0 tclass=file
Label them httpd_sys_rw_content_t. Apache is only able to append to its logs not delete them.
Is it due to a misconfiguration?
Hervé
-----Message d'origine----- De : Daniel J Walsh [mailto:dwalsh@redhat.com] Envoyé : lundi 18 novembre 2013 17:12 À : Vidalie Hervé; Dominick Grift Cc : selinux@lists.fedoraproject.org Objet : Re: priority between file context rules
On 11/18/2013 09:35 AM, Vidalie Hervé wrote:
This will unfortunately put an unwanted type on some subdirectories (for example on /WEBS/client/service/conf) and won't set the type httpd_sys_content_t on my untyped files.
-----Message d'origine----- De : Dominick Grift [mailto:dominick.grift@gmail.com] Envoyé : lundi 18 novembre 2013 15:28 À : Vidalie Hervé Cc : selinux@lists.fedoraproject.org Objet : Re: priority between file context rules
On Mon, 2013-11-18 at 15:22 +0100, Vidalie Hervé wrote:
I would like to set a default type on /WEBS and his subfolders: semanage fcontext -a -t httpd_sys_content_t '/WEBS(/.*)?' restorecon -Rv /WEBS* However, this command sets the type httpd_sys_content_t recursively on everything in /WEBS What is the priority between file context rules? I thought more precise rules will prevail on others.
I can't answer your last question since i was under the same impression but:
You can use:
semanage fcontext -m -t httpd_sys_content_t -f -d '/WEBS(/.*)?'
To modify the spec to make it apply to directories only (note the -f -d)
Ce message et les pièces jointes sont confidentiels et réservés à l'usage exclusif de ses destinataires. Il peut également être protégé par le secret professionnel. Si vous recevez ce message par erreur, merci d'en avertir immédiatement l'expéditeur et de le détruire. L'intégrité du message ne pouvant être assurée sur Internet, la responsabilité de Worldline ne pourra être recherchée quant au contenu de ce message. Bien que les meilleurs efforts soient faits pour maintenir cette transmission exempte de tout virus, l'expéditeur ne donne aucune garantie à cet égard et sa responsabilité ne saurait être recherchée pour tout dommage résultant d'un virus transmis.
This e-mail and the documents attached are confidential and intended solely for the addressee; it may also be privileged. If you receive this e-mail in error, please notify the sender immediately and destroy it. As its integrity cannot be secured on the Internet, the Worldline liability cannot be triggered for the message content. Although the sender endeavours to maintain a computer virus-free network, the sender does not warrant that this transmission is virus-free and will not be liable for any damages resulting from any virus transmitted. -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
Local changes will win. Which is what you are seeing. I think there is an open bug on last change winning, when adding file context. So you want to add your general change first.
Ce message et les pièces jointes sont confidentiels et réservés à l'usage exclusif de ses destinataires. Il peut également être protégé par le secret professionnel. Si vous recevez ce message par erreur, merci d'en avertir immédiatement l'expéditeur et de le détruire. L'intégrité du message ne pouvant être assurée sur Internet, la responsabilité de Worldline ne pourra être recherchée quant au contenu de ce message. Bien que les meilleurs efforts soient faits pour maintenir cette transmission exempte de tout virus, l'expéditeur ne donne aucune garantie à cet égard et sa responsabilité ne saurait être recherchée pour tout dommage résultant d'un virus transmis.
This e-mail and the documents attached are confidential and intended solely for the addressee; it may also be privileged. If you receive this e-mail in error, please notify the sender immediately and destroy it. As its integrity cannot be secured on the Internet, the Worldline liability cannot be triggered for the message content. Although the sender endeavours to maintain a computer virus-free network, the sender does not warrant that this transmission is virus-free and will not be liable for any damages resulting from any virus transmitted. -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
On Mon, Nov 18, 2013 at 15:22:08 +0100, Vidalie Hervé herve.vidalie@worldline.com wrote:
I would like to set a default type on /WEBS and his subfolders: semanage fcontext -a -t httpd_sys_content_t '/WEBS(/.*)?' restorecon -Rv /WEBS* However, this command sets the type httpd_sys_content_t recursively on everything in /WEBS What is the priority between file context rules? I thought more precise rules will prevail on others.
Note that the context files really just work when doing relabelling with restorecon or fixfiles. What gets applied when a new file is created is going to be governed by policy. (Though inheriting from the directory the file is being created in is the common default.) You can have rules based on the creating process' label, the label of the directory the file is being created in and in recent kernels (I am not sure if this is in RHEL6, but is in current Fedora) the name (no wildcards) of the file.
Thank you for your clarification.
How to modify current policy to add default context to some paths without using semanage fcontext -a? Where can I find sources of the policy I use? (I am using selinux-policy-targeted-3.7.19-195.el6_4.18.noarch)
Regards,
Hervé
-----Message d'origine----- De : Bruno Wolff III [mailto:bruno@wolff.to] Envoyé : lundi 18 novembre 2013 18:45 À : Vidalie Hervé Cc : selinux@lists.fedoraproject.org Objet : Re: priority between file context rules
On Mon, Nov 18, 2013 at 15:22:08 +0100, Vidalie Hervé herve.vidalie@worldline.com wrote:
I would like to set a default type on /WEBS and his subfolders: semanage fcontext -a -t httpd_sys_content_t '/WEBS(/.*)?' restorecon -Rv /WEBS* However, this command sets the type httpd_sys_content_t recursively on everything in /WEBS What is the priority between file context rules? I thought more precise rules will prevail on others.
Note that the context files really just work when doing relabelling with restorecon or fixfiles. What gets applied when a new file is created is going to be governed by policy. (Though inheriting from the directory the file is being created in is the common default.) You can have rules based on the creating process' label, the label of the directory the file is being created in and in recent kernels (I am not sure if this is in RHEL6, but is in current Fedora) the name (no wildcards) of the file.
Ce message et les pièces jointes sont confidentiels et réservés à l'usage exclusif de ses destinataires. Il peut également être protégé par le secret professionnel. Si vous recevez ce message par erreur, merci d'en avertir immédiatement l'expéditeur et de le détruire. L'intégrité du message ne pouvant être assurée sur Internet, la responsabilité de Worldline ne pourra être recherchée quant au contenu de ce message. Bien que les meilleurs efforts soient faits pour maintenir cette transmission exempte de tout virus, l'expéditeur ne donne aucune garantie à cet égard et sa responsabilité ne saurait être recherchée pour tout dommage résultant d'un virus transmis.
This e-mail and the documents attached are confidential and intended solely for the addressee; it may also be privileged. If you receive this e-mail in error, please notify the sender immediately and destroy it. As its integrity cannot be secured on the Internet, the Worldline liability cannot be triggered for the message content. Although the sender endeavours to maintain a computer virus-free network, the sender does not warrant that this transmission is virus-free and will not be liable for any damages resulting from any virus transmitted.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 11/20/2013 04:34 AM, Vidalie Hervé wrote:
Thank you for your clarification.
How to modify current policy to add default context to some paths without using semanage fcontext -a? Where can I find sources of the policy I use? (I am using selinux-policy-targeted-3.7.19-195.el6_4.18.noarch)
Regards,
Hervé
There are two ways of adding file context mappings, either add them to a policy package (pp) file and install them, or use semanage fcontext.
If you use a policy package the labeling will work with the existing labeling, while semanage fcontext -a will take precedence.
semanage fcontext -a -e /var/www /WWW
Might also be usefull for saying labels under one directory should be like labels under a different directory.
What labeling are you trying to setup?
Hello,
I am trying to label httpd files on a server running multiple instances of httpd.
/WEBS/client_name/service_name/ contains configuration files, documents to serve, … /WEBLOGS/client_name/service_name/ contains httpd logs /WEBDATA/client_name/service_name/ contains datas
This is my goal: /WEBS/ httpd_sys_content_t /WEBS/lost+found(/.*)? lost_found_t /WEBS/client_name/ httpd_sys_content_t /WEBS/client_name/service_name/ httpd_sys_content_t
/WEBS/client_name/service_name/bin/ and his content httpd_sys_content_t /WEBS/client_name/service_name/conf/ and his content httpd_sys_content_t httpd_config_t /WEBS/client_name/service_name/docs/ and his content httpd_sys_content_t /WEBS/client_name/service_name/init/ and his content httpd_sys_content_t /WEBS/client_name/service_name/logs/ ->/WEBLOGS /client_name/service_name/ httpd_log_t (might be wrong) / WEBLOGS /client_name/service_name/readme/ and his content httpd_sys_content_t
/WEBDATA / httpd_sys_content_t /WEBDATA /lost+found(/.*)? lost_found_t /WEBDATA /client_name/ httpd_sys_content_t /WEBDATA /client_name/service_name/ and his content httpd_sys_rw_content_t
/WEBLOGS / httpd_sys_content_t /WEBLOGS /lost+found(/.*)? lost_found_t /WEBLOGS /client_name/ httpd_sys_content_t /WEBLOGS /client_name/service_name/ httpd_sys_content_t /WEBLOGS /client_name/service_name/* httpd_log_t
Would this labeling be correct?
I already tried to do run the following commands : semanage fcontext -a -t httpd_sys_content_t '/WEBS(/.*)' semanage fcontext -a -t httpd_sys_content_t '/WEBDATA(/.*)' semanage fcontext -a -t httpd_log_t '/WEBLOGS(/.*)' semanage fcontext -a -t lost_found_t '/WEBS/lost+found(/.*)?' semanage fcontext -a -t lost_found_t '/WEBLOGS/lost+found(/.*)?' semanage fcontext -a -t lost_found_t '/WEBDATA/lost+found(/.*)?' semanage fcontext -a -t httpd_config_t '/WEBS/[^/]+/[^/]+/conf(/.*)?' semanage fcontext -a -t httpd_log_t '/WEBS/[^/]+/[^/]+/logs' restorecon -Rv /WEB*
Encountered problems : Already discussed : httpd_log_t is not enough to httpd to create new log files -> to be replaced with httpd_sys_rw_content_t New files (for example logs) are not correctly labeled (they are labeled like the folder)
I would like to create a policy package file to define add this file context mappings. How to add mapping rules and rules for automatically labeling created files?
Another question: Where can I find the source of the policy I use ? (selinux-policy-targeted-3.7.19-195.el6_4.18.noarch)
Regards,
Hervé Vidalie
-----Message d'origine----- De : Daniel J Walsh [mailto:dwalsh@redhat.com] Envoyé : mercredi 20 novembre 2013 20:39 À : Vidalie Hervé; Bruno Wolff III Cc : selinux@lists.fedoraproject.org Objet : Re: priority between file context rules
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 11/20/2013 04:34 AM, Vidalie Hervé wrote:
Thank you for your clarification.
How to modify current policy to add default context to some paths without using semanage fcontext -a? Where can I find sources of the policy I use? (I am using selinux-policy-targeted-3.7.19-195.el6_4.18.noarch)
Regards,
Hervé
There are two ways of adding file context mappings, either add them to a policy package (pp) file and install them, or use semanage fcontext.
If you use a policy package the labeling will work with the existing labeling, while semanage fcontext -a will take precedence.
semanage fcontext -a -e /var/www /WWW
Might also be usefull for saying labels under one directory should be like labels under a different directory.
What labeling are you trying to setup?
Ce message et les pièces jointes sont confidentiels et réservés à l'usage exclusif de ses destinataires. Il peut également être protégé par le secret professionnel. Si vous recevez ce message par erreur, merci d'en avertir immédiatement l'expéditeur et de le détruire. L'intégrité du message ne pouvant être assurée sur Internet, la responsabilité de Worldline ne pourra être recherchée quant au contenu de ce message. Bien que les meilleurs efforts soient faits pour maintenir cette transmission exempte de tout virus, l'expéditeur ne donne aucune garantie à cet égard et sa responsabilité ne saurait être recherchée pour tout dommage résultant d'un virus transmis.
This e-mail and the documents attached are confidential and intended solely for the addressee; it may also be privileged. If you receive this e-mail in error, please notify the sender immediately and destroy it. As its integrity cannot be secured on the Internet, the Worldline liability cannot be triggered for the message content. Although the sender endeavours to maintain a computer virus-free network, the sender does not warrant that this transmission is virus-free and will not be liable for any damages resulting from any virus transmitted.
On Tue, 2013-12-03 at 16:50 +0100, Vidalie Hervé wrote:
Encountered problems : Already discussed : httpd_log_t is not enough to httpd to create new log files -> to be replaced with httpd_sys_rw_content_t New files (for example logs) are not correctly labeled (they are labeled like the folder)
This:
[root@d30 rules.d]# sesearch -ASC -d -t httpd_sys_ra_content_t Found 7 semantic av rules: allow httpd_sys_ra_content_t httpd_sys_ra_content_t : filesystem associate ; allow httpd_sys_script_t httpd_sys_ra_content_t : file { ioctl read create getattr lock append open } ; allow httpd_sys_script_t httpd_sys_ra_content_t : dir { ioctl read write getattr lock add_name search open } ; allow httpd_sys_script_t httpd_sys_ra_content_t : lnk_file { read getattr } ; ET allow httpd_t httpd_sys_ra_content_t : file { ioctl read create getattr lock append open } ; [ httpd_builtin_scripting ] ET allow httpd_t httpd_sys_ra_content_t : dir { ioctl write getattr lock add_name search open } ; [ httpd_builtin_scripting ] ET allow httpd_t httpd_sys_ra_content_t : lnk_file { read getattr } ; [ httpd_builtin_scripting ]
..Tells me that , at least on my system, both httpd_t, as well as httpd_sys_script_t type processes are allowed to create new log files (files with type httpd_sys_ra_content_t) in directories with type httpd_sys_ra_content_t
So instead of using httpd_log_t (which i would not use for any logs other than /var/log/httpd in the first place) use httpd_sys_ra_content_t This is the type for readable/appendable (and creatable but not writable) files by httpd_t, and httpd_sys_script_t
This:
semanage fcontext -a -t httpd_log_t '/WEBS/[^/]+/[^/]+/logs'
.. Is wrong. Use this instead:
semanage fcontext -a -t httpd_sys_ra_content_t '/WEBS/[^/]+/[^/]+/logs(/.*)?'
Then restorecon -R -v -F /WEBS/*/logs
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 12/03/2013 11:21 AM, Dominick Grift wrote:
On Tue, 2013-12-03 at 16:50 +0100, Vidalie Hervé wrote:
Encountered problems : Already discussed : httpd_log_t is not enough to httpd to create new log files -> to be replaced with httpd_sys_rw_content_t New files (for example logs) are not correctly labeled (they are labeled like the folder)
This:
[root@d30 rules.d]# sesearch -ASC -d -t httpd_sys_ra_content_t Found 7 semantic av rules: allow httpd_sys_ra_content_t httpd_sys_ra_content_t : filesystem associate ; allow httpd_sys_script_t httpd_sys_ra_content_t : file { ioctl read create getattr lock append open } ; allow httpd_sys_script_t httpd_sys_ra_content_t : dir { ioctl read write getattr lock add_name search open } ; allow httpd_sys_script_t httpd_sys_ra_content_t : lnk_file { read getattr } ; ET allow httpd_t httpd_sys_ra_content_t : file { ioctl read create getattr lock append open } ; [ httpd_builtin_scripting ] ET allow httpd_t httpd_sys_ra_content_t : dir { ioctl write getattr lock add_name search open } ; [ httpd_builtin_scripting ] ET allow httpd_t httpd_sys_ra_content_t : lnk_file { read getattr } ; [ httpd_builtin_scripting ]
..Tells me that , at least on my system, both httpd_t, as well as httpd_sys_script_t type processes are allowed to create new log files (files with type httpd_sys_ra_content_t) in directories with type httpd_sys_ra_content_t
So instead of using httpd_log_t (which i would not use for any logs other than /var/log/httpd in the first place) use httpd_sys_ra_content_t This is the type for readable/appendable (and creatable but not writable) files by httpd_t, and httpd_sys_script_t
This:
semanage fcontext -a -t httpd_log_t '/WEBS/[^/]+/[^/]+/logs'
.. Is wrong. Use this instead:
semanage fcontext -a -t httpd_sys_ra_content_t '/WEBS/[^/]+/[^/]+/logs(/.*)?'
Then restorecon -R -v -F /WEBS/*/logs
I am not sure I would label lost+found directory differently. Since this is still httpd_sys_content_t.
The only reason to label content httpd_log_t versus httpd_sys_ra_content_t is if the log files need to be used by log applications like logrotate.
On Wed, 2013-12-04 at 09:37 -0500, Daniel J Walsh wrote:
The only reason to label content httpd_log_t versus httpd_sys_ra_content_t is if the log files need to be used by log applications like logrotate.
Yes, afaik these log files are usually not automatically rotated, and i am also looking at this from a confined user perspective
I would rather give a user permission to manage httpd_sys_ra_content_t files than httpd_log_t.
These are virtual hosts, so i assume that the customer needs to be able to manage content off the vhost they own.
Depending on the properties of the setup i might have used a different config altogether.
Hello,
Thank you for your answers.
I have two remaining questions: -I would like to create a policy package file to define add this file context mappings. How to add mapping rules and rules for automatically labeling created files? -Where can I find the source of the policy I use ? (selinux-policy-targeted-3.7.19-195.el6_4.18.noarch)
Regards,
Hervé Vidalie
Ce message et les pièces jointes sont confidentiels et réservés à l'usage exclusif de ses destinataires. Il peut également être protégé par le secret professionnel. Si vous recevez ce message par erreur, merci d'en avertir immédiatement l'expéditeur et de le détruire. L'intégrité du message ne pouvant être assurée sur Internet, la responsabilité de Worldline ne pourra être recherchée quant au contenu de ce message. Bien que les meilleurs efforts soient faits pour maintenir cette transmission exempte de tout virus, l'expéditeur ne donne aucune garantie à cet égard et sa responsabilité ne saurait être recherchée pour tout dommage résultant d'un virus transmis.
This e-mail and the documents attached are confidential and intended solely for the addressee; it may also be privileged. If you receive this e-mail in error, please notify the sender immediately and destroy it. As its integrity cannot be secured on the Internet, the Worldline liability cannot be triggered for the message content. Although the sender endeavours to maintain a computer virus-free network, the sender does not warrant that this transmission is virus-free and will not be liable for any damages resulting from any virus transmitted.
On Thu, 2013-12-05 at 17:12 +0100, Vidalie Hervé wrote:
Hello,
Thank you for your answers.
I have two remaining questions: -I would like to create a policy package file to define add this file context mappings. How to add mapping rules and rules for automatically labeling created files? -Where can I find the source of the policy I use ? (selinux-policy-targeted-3.7.19-195.el6_4.18.noarch)
I will give you an example
For example lets say i want to create a policy package that associates system_u:object_r:httpd_sys_content_t:s0 with /mywww and everything below it.
cat > mywww.te <<EOF policy_module(mywww, 1.0.0) gen_require(` type httpd_sys_content_t ') EOF
The above creates a file with name mywww.te The first line declares a new policy module of name mywww with version 1.0.0 The second line imports the httpd_sys_content_t type identifier. Type identifiers that are declared outside of this module need to be imported to this module before we can use it
The system_u, object_r, and s0 identifiers do not need to be imported because they are core identifiers that are automatically imported when you declare a policy module (the first line)
cat > mywww.fc <<EOF /mywww(/.*)? system_u:object_r:httpd_sys_content_t:s0 EOF
The above creates a file with name mywww.fc The line in this file specified the file context It associates the security context of system_u:object_r:httpd_sys_content_t:s0 with /mywww and everything below it The (/.*)? is a posix regular expression statement
make -f /usr/share/selinux/devel/Makefile mywww.pp
The above command creates a mywww.pp file This is a policy package that we can use to load the policy into the system
sudo semodule -i mywww.pp
The above command loads the policy package into the system. This will be persistent
To remove it:
sudo semodule -r mywww
See man semodule for more details on how to manage policy packages
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 12/05/2013 11:26 AM, Dominick Grift wrote:
On Thu, 2013-12-05 at 17:25 +0100, Dominick Grift wrote:
gen_require(` type httpd_sys_content_t ')
There is syntax error here. It should be:
gen_require(` type httpd_sys_content_t; ')
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
gen_require line is not necessary.
All you need to create a pp file with a file context is the policy_module line and the fc file.
On Thu, 2013-12-05 at 14:24 -0500, Daniel J Walsh wrote:
gen_require line is not necessary.
All you need to create a pp file with a file context is the policy_module line and the fc file.
Thanks for correcting. Could you please also explain why the type does not have to be required if its only used in a file context spec.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 12/05/2013 03:27 PM, Dominick Grift wrote:
On Thu, 2013-12-05 at 14:24 -0500, Daniel J Walsh wrote:
gen_require line is not necessary.
All you need to create a pp file with a file context is the policy_module line and the fc file.
Thanks for correcting. Could you please also explain why the type does not have to be required if its only used in a file context spec.
I guess the compiler is not built to catch this. Since accidently putting the wrong name into a FC file does happen.
Thank you all for your answers
-----Message d'origine----- De : Dominick Grift [mailto:dominick.grift@gmail.com] Envoyé : jeudi 5 décembre 2013 17:26 À : Vidalie Hervé Cc : Daniel J Walsh; Bruno Wolff III; selinux@lists.fedoraproject.org Objet : Re: priority between file context rules
On Thu, 2013-12-05 at 17:12 +0100, Vidalie Hervé wrote:
Hello,
Thank you for your answers.
I have two remaining questions: -I would like to create a policy package file to define add this file context mappings. How to add mapping rules and rules for automatically labeling created files? -Where can I find the source of the policy I use ? (selinux-policy-targeted-3.7.19-195.el6_4.18.noarch)
I will give you an example
For example lets say i want to create a policy package that associates system_u:object_r:httpd_sys_content_t:s0 with /mywww and everything below it.
cat > mywww.te <<EOF policy_module(mywww, 1.0.0) gen_require(` type httpd_sys_content_t ') EOF
The above creates a file with name mywww.te The first line declares a new policy module of name mywww with version 1.0.0 The second line imports the httpd_sys_content_t type identifier. Type identifiers that are declared outside of this module need to be imported to this module before we can use it
The system_u, object_r, and s0 identifiers do not need to be imported because they are core identifiers that are automatically imported when you declare a policy module (the first line)
cat > mywww.fc <<EOF /mywww(/.*)? system_u:object_r:httpd_sys_content_t:s0 EOF
The above creates a file with name mywww.fc The line in this file specified the file context It associates the security context of system_u:object_r:httpd_sys_content_t:s0 with /mywww and everything below it The (/.*)? is a posix regular expression statement
make -f /usr/share/selinux/devel/Makefile mywww.pp
The above command creates a mywww.pp file This is a policy package that we can use to load the policy into the system
sudo semodule -i mywww.pp
The above command loads the policy package into the system. This will be persistent
To remove it:
sudo semodule -r mywww
See man semodule for more details on how to manage policy packages
Ce message et les pièces jointes sont confidentiels et réservés à l'usage exclusif de ses destinataires. Il peut également être protégé par le secret professionnel. Si vous recevez ce message par erreur, merci d'en avertir immédiatement l'expéditeur et de le détruire. L'intégrité du message ne pouvant être assurée sur Internet, la responsabilité de Worldline ne pourra être recherchée quant au contenu de ce message. Bien que les meilleurs efforts soient faits pour maintenir cette transmission exempte de tout virus, l'expéditeur ne donne aucune garantie à cet égard et sa responsabilité ne saurait être recherchée pour tout dommage résultant d'un virus transmis.
This e-mail and the documents attached are confidential and intended solely for the addressee; it may also be privileged. If you receive this e-mail in error, please notify the sender immediately and destroy it. As its integrity cannot be secured on the Internet, the Worldline liability cannot be triggered for the message content. Although the sender endeavours to maintain a computer virus-free network, the sender does not warrant that this transmission is virus-free and will not be liable for any damages resulting from any virus transmitted.
selinux@lists.fedoraproject.org