I am trying to bring kmotion under control of SeLinux, so how can I do it?
1) I tried context httpd_exec_t and httpd_t, but neither seems to work, so out of the zillions of options which do I use as these files are apache and python programs. (See log below):
semanage fcontext -a -t httpd_t '/www/kmotion/www/vhosts/kmotion' semanage fcontext -a -t httpd_t '/www/kmotion/www/www/cgi_bin' semanage fcontext -a -t httpd_t '/www/kmotion/www/www/cgi_bin/*'
And these commands seemed to take without any errors reported but the context of the directory and files remain unchanged:
-rw-r--r--. <me> <me> unconfined_u:object_r:default_t:s0 /www/kmotion/www/vhosts/kmotion drwxr-xr-x. <me> <me> unconfined_u:object_r:default_t:s0 cgi_bin -rwxr-xr-x. <me> <me> unconfined_u:object_r:default_t:s0 xmlHttp_arch.py -rwxr-xr-x. <me> <me> unconfined_u:object_r:default_t:s0 xmlHttp_feeds.py -rwxr-xr-x. <me> <me> unconfined_u:object_r:default_t:s0 xmlHttp_func.py -rwxr-xr-x. <me> <me> unconfined_u:object_r:default_t:s0 xmlHttp_load.py -rwxr-xr-x. <me> <me> unconfined_u:object_r:default_t:s0 xmlHttp_logs.py -rwxr-xr-x. <me> <me> unconfined_u:object_r:default_t:s0 xmlHttp_out.py -rwxr-xr-x. <me> <me> unconfined_u:object_r:default_t:s0 xmlHttp_ptz.py -rwxr-xr-x. <me> <me> unconfined_u:object_r:default_t:s0 xmlHttp_settings_rd.py -rwxr-xr-x. <me> <me> unconfined_u:object_r:default_t:s0 xmlHttp_settings_wr.py
2) For fun, I also tried these steps for the above files:
chcon -t httpd_t cgi_bin chcon -t httpd_t cgi_bin/*
And I get: "chcon: failed to change context of <...>: Permission denied.", however, http_exec_t seems to take, but does not shut up selinux AVC denials.
==================================================== The following is what is reported from setroubleshooter tool ==================================================== Summary:
SELinux is preventing /usr/sbin/httpd from using potentially mislabeled files /www/kmotion/www/vhosts/kmotion.
Detailed Description:
SELinux has denied the httpd access to potentially mislabeled files /www/kmotion/www/vhosts/kmotion. This means that SELinux will not allow httpd to use these files. If httpd should be allowed this access to these files you should change the file context to one of the following types, httpd_mediawiki_htaccess_t, calamaris_www_t, udev_tbl_t, user_cron_spool_t, httpd_cache_t, httpd_tmp_t, httpd_tmpfs_t, iso9660_t, smokeping_var_lib_t, shell_exec_t, httpd_w3c_validator_htaccess_t, rpm_tmp_t, mysqld_etc_t, cvs_data_t, var_lib_t, dirsrvadmin_tmp_t, sendmail_exec_t, cobbler_etc_t, configfile, httpd_helper_exec_t, dbusd_etc_t, dirsrv_share_t, ld_so_cache_t, httpd_squirrelmail_t, httpd_php_exec_t, httpd_nagios_htaccess_t, logfile, httpd_mediawiki_tmp_t, samba_var_t, dirsrv_var_log_t, net_conf_t, user_tmp_t, public_content_t, anon_inodefs_t, sysctl_kernel_t, httpd_modules_t, cert_type, etc_runtime_t, dirsrv_var_run_t, abrt_var_run_t, httpd_var_lib_t, httpd_var_run_t, httpd_suexec_exec_t, application_exec_type, httpd_awstats_htaccess_t, httpd_dirsrvadmin_htaccess_t, httpd_nutups_cgi_htaccess_t, mailman_cgi_exec_t, gitosis_var_lib_t, httpd_user_htaccess_t, dirsrvadmin_config_t, user_home_t, httpd_squid_htaccess_t, chroot_exec_t, httpd_munin_htaccess_t, sysctl_crypto_t, httpd_sys_content_t, mailman_archive_t, public_content_rw_t, httpd_bugzilla_htaccess_t, httpd_cobbler_htaccess_t, mailman_data_t, httpd_apcupsd_cgi_htaccess_t, system_dbusd_var_lib_t, abrt_t, bin_t, httpd_cvs_htaccess_t, httpd_git_htaccess_t, httpd_sys_htaccess_t, squirrelmail_spool_t, httpd_t, lib_t, lib_t, httpd_prewikka_htaccess_t, usr_t, passenger_var_lib_t, passenger_var_run_t, cobbler_var_lib_t, httpd_rotatelogs_exec_t, abrt_helper_exec_t, httpd_smokeping_cgi_htaccess_t, nagios_etc_t, nagios_log_t, sssd_public_t, httpd_keytab_t, ping_exec_t, cluster_conf_t, locale_t, httpd_unconfined_script_exec_t, etc_t, fonts_t, fonts_cache_t, httpd_exec_t, ld_so_t, httpd_lock_t, proc_t, httpd_log_t, sysfs_t, dirsrv_config_t, textrel_shlib_t, krb5_keytab_t, ssh_exec_t, passenger_exec_t, krb5_conf_t, fail2ban_var_lib_t, httpd_config_t, rpm_script_tmp_t, httpd_cobbler_ra_content_t, httpd_cobbler_rw_content_t, httpd_prewikka_script_exec_t, httpd_munin_ra_content_t, httpd_munin_rw_content_t, httpd_sys_script_exec_t, httpd_git_script_exec_t, httpd_cvs_script_exec_t, root_t, user_home_t, httpd_dirsrvadmin_script_exec_t, httpd_bugzilla_ra_content_t, httpd_bugzilla_rw_content_t, httpd_nutups_cgi_script_exec_t, httpd_cvs_ra_content_t, httpd_cvs_rw_content_t, httpd_git_ra_content_t, httpd_git_rw_content_t, httpd_nagios_content_t, httpd_sys_ra_content_t, httpd_sys_rw_content_t, httpd_w3c_validator_content_t, httpd_nagios_ra_content_t, httpd_nagios_rw_content_t, httpd_nutups_cgi_ra_content_t, httpd_nutups_cgi_rw_content_t, httpd_cobbler_script_exec_t, httpd_mediawiki_script_exec_t, httpd_smokeping_cgi_script_exec_t, httpd_git_content_t, httpd_user_content_t, httpd_mediawiki_ra_content_t, httpd_mediawiki_rw_content_t, httpd_squid_ra_content_t, httpd_squid_rw_content_t, httpd_apcupsd_cgi_content_t, httpd_apcupsd_cgi_ra_content_t, httpd_apcupsd_cgi_rw_content_t, httpd_prewikka_content_t, httpd_smokeping_cgi_ra_content_t, httpd_smokeping_cgi_rw_content_t, httpd_munin_content_t, httpd_squid_content_t, httpd_smokeping_cgi_content_t, httpd_awstats_script_exec_t, httpd_cvs_content_t, httpd_sys_content_t, httpd_dirsrvadmin_ra_content_t, httpd_dirsrvadmin_rw_content_t, httpd_munin_script_exec_t, httpd_w3c_validator_script_exec_t, httpd_prewikka_ra_content_t, httpd_prewikka_rw_content_t, httpd_user_script_exec_t, httpd_bugzilla_content_t, httpd_cobbler_content_t, httpd_mediawiki_content_t, krb5_host_rcache_t, httpd_apcupsd_cgi_script_exec_t, httpd_nagios_script_exec_t, httpd_dirsrvadmin_content_t, httpd_squid_script_exec_t, httpd_w3c_validator_ra_content_t, httpd_w3c_validator_rw_content_t, httpd_awstats_ra_content_t, httpd_awstats_rw_content_t, httpd_bugzilla_script_exec_t, httpd_awstats_content_t, httpd_user_ra_content_t, httpd_user_rw_content_t, httpd_nutups_cgi_content_t. Many third party apps install html files in directories that SELinux policy cannot predict. These directories have to be labeled with a file context which httpd can access.
Allowing Access:
If you want to change the file context of /www/kmotion/www/vhosts/kmotion so that the httpd daemon can access it, you need to execute it using semanage fcontext -a -t FILE_TYPE '/www/kmotion/www/vhosts/kmotion'. where FILE_TYPE is one of the following: httpd_mediawiki_htaccess_t, calamaris_www_t, udev_tbl_t, user_cron_spool_t, httpd_cache_t, httpd_tmp_t, httpd_tmpfs_t, iso9660_t, smokeping_var_lib_t, shell_exec_t, httpd_w3c_validator_htaccess_t, rpm_tmp_t, mysqld_etc_t, cvs_data_t, var_lib_t, dirsrvadmin_tmp_t, sendmail_exec_t, cobbler_etc_t, configfile, httpd_helper_exec_t, dbusd_etc_t, dirsrv_share_t, ld_so_cache_t, httpd_squirrelmail_t, httpd_php_exec_t, httpd_nagios_htaccess_t, logfile, httpd_mediawiki_tmp_t, samba_var_t, dirsrv_var_log_t, net_conf_t, user_tmp_t, public_content_t, anon_inodefs_t, sysctl_kernel_t, httpd_modules_t, cert_type, etc_runtime_t, dirsrv_var_run_t, abrt_var_run_t, httpd_var_lib_t, httpd_var_run_t, httpd_suexec_exec_t, application_exec_type, httpd_awstats_htaccess_t, httpd_dirsrvadmin_htaccess_t, httpd_nutups_cgi_htaccess_t, mailman_cgi_exec_t, gitosis_var_lib_t, httpd_user_htaccess_t, dirsrvadmin_config_t, user_home_t, httpd_squid_htaccess_t, chroot_exec_t, httpd_munin_htaccess_t, sysctl_crypto_t, httpd_sys_content_t, mailman_archive_t, public_content_rw_t, httpd_bugzilla_htaccess_t, httpd_cobbler_htaccess_t, mailman_data_t, httpd_apcupsd_cgi_htaccess_t, system_dbusd_var_lib_t, abrt_t, bin_t, httpd_cvs_htaccess_t, httpd_git_htaccess_t, httpd_sys_htaccess_t, squirrelmail_spool_t, httpd_t, lib_t, lib_t, httpd_prewikka_htaccess_t, usr_t, passenger_var_lib_t, passenger_var_run_t, cobbler_var_lib_t, httpd_rotatelogs_exec_t, abrt_helper_exec_t, httpd_smokeping_cgi_htaccess_t, nagios_etc_t, nagios_log_t, sssd_public_t, httpd_keytab_t, ping_exec_t, cluster_conf_t, locale_t, httpd_unconfined_script_exec_t, etc_t, fonts_t, fonts_cache_t, httpd_exec_t, ld_so_t, httpd_lock_t, proc_t, httpd_log_t, sysfs_t, dirsrv_config_t, textrel_shlib_t, krb5_keytab_t, ssh_exec_t, passenger_exec_t, krb5_conf_t, fail2ban_var_lib_t, httpd_config_t, rpm_script_tmp_t, httpd_cobbler_ra_content_t, httpd_cobbler_rw_content_t, httpd_prewikka_script_exec_t, httpd_munin_ra_content_t, httpd_munin_rw_content_t, httpd_sys_script_exec_t, httpd_git_script_exec_t, httpd_cvs_script_exec_t, root_t, user_home_t, httpd_dirsrvadmin_script_exec_t, httpd_bugzilla_ra_content_t, httpd_bugzilla_rw_content_t, httpd_nutups_cgi_script_exec_t, httpd_cvs_ra_content_t, httpd_cvs_rw_content_t, httpd_git_ra_content_t, httpd_git_rw_content_t, httpd_nagios_content_t, httpd_sys_ra_content_t, httpd_sys_rw_content_t, httpd_w3c_validator_content_t, httpd_nagios_ra_content_t, httpd_nagios_rw_content_t, httpd_nutups_cgi_ra_content_t, httpd_nutups_cgi_rw_content_t, httpd_cobbler_script_exec_t, httpd_mediawiki_script_exec_t, httpd_smokeping_cgi_script_exec_t, httpd_git_content_t, httpd_user_content_t, httpd_mediawiki_ra_content_t, httpd_mediawiki_rw_content_t, httpd_squid_ra_content_t, httpd_squid_rw_content_t, httpd_apcupsd_cgi_content_t, httpd_apcupsd_cgi_ra_content_t, httpd_apcupsd_cgi_rw_content_t, httpd_prewikka_content_t, httpd_smokeping_cgi_ra_content_t, httpd_smokeping_cgi_rw_content_t, httpd_munin_content_t, httpd_squid_content_t, httpd_smokeping_cgi_content_t, httpd_awstats_script_exec_t, httpd_cvs_content_t, httpd_sys_content_t, httpd_dirsrvadmin_ra_content_t, httpd_dirsrvadmin_rw_content_t, httpd_munin_script_exec_t, httpd_w3c_validator_script_exec_t, httpd_prewikka_ra_content_t, httpd_prewikka_rw_content_t, httpd_user_script_exec_t, httpd_bugzilla_content_t, httpd_cobbler_content_t, httpd_mediawiki_content_t, krb5_host_rcache_t, httpd_apcupsd_cgi_script_exec_t, httpd_nagios_script_exec_t, httpd_dirsrvadmin_content_t, httpd_squid_script_exec_t, httpd_w3c_validator_ra_content_t, httpd_w3c_validator_rw_content_t, httpd_awstats_ra_content_t, httpd_awstats_rw_content_t, httpd_bugzilla_script_exec_t, httpd_awstats_content_t, httpd_user_ra_content_t, httpd_user_rw_content_t, httpd_nutups_cgi_content_t. You can look at the httpd_selinux man page for additional information.
Additional Information:
Source Context system_u:system_r:httpd_t:s0-s0:c0.c1023 Target Context unconfined_u:object_r:default_t:s0 Target Objects /www/kmotion/www/vhosts/kmotion [ file ] Source httpd Source Path /usr/sbin/httpd Port <Unknown> Host <host>.<domain>.com Source RPM Packages httpd-2.2.17-1.fc13.1 Target RPM Packages Policy RPM selinux-policy-3.7.19-101.fc13 Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Plugin Name httpd_bad_labels Host Name <host>.<domain>.com Platform Linux <host>.<domain>.com 2.6.34.9-69.fc13.i686 #1 SMP Tue May 3 09:20:30 UTC 2011 i686 i686 Alert Count 1 First Seen Thu 23 Jun 2011 03:53:08 AM PDT Last Seen Thu 23 Jun 2011 03:53:08 AM PDT Local ID 6611a91e-3b6b-4ed8-9ac1-a6bf0d08f5ca Line Numbers
Raw Audit Messages
node=<host>.<domain>.com type=AVC msg=audit(1308826388.806:65944): avc: denied { getattr } for pid=28408 comm="httpd" path="/www/kmotion/www/vhosts/kmotion" dev=sda10 ino=5637335 scontext=system_u:system_r:httpd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:default_t:s0 tclass=file
node=<host>.<domain>.com type=SYSCALL msg=audit(1308826388.806:65944): arch=40000003 syscall=195 success=yes exit=0 a0=176fa30 a1=bf903050 a2=994ff4 a3=8000 items=0 ppid=28407 pid=28408 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=335 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0-s0:c0.c1023 key=(null)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 06/23/2011 09:21 PM, Daniel B. Thurman wrote:
I am trying to bring kmotion under control of SeLinux, so how can I do it?
- I tried context httpd_exec_t and httpd_t, but neither seems to work, so out of the zillions of options which do I use as these files are
apache and python programs. (See log below):
semanage fcontext -a -t httpd_t '/www/kmotion/www/vhosts/kmotion' semanage fcontext -a -t httpd_t '/www/kmotion/www/www/cgi_bin' semanage fcontext -a -t httpd_t '/www/kmotion/www/www/cgi_bin/*'
semanage fcontext -d -t httpd_t '/www/kmotion/www/vhosts/kmotion' semanage fcontext -d -t httpd_t '/www/kmotion/www/www/cgi_bin' semanage fcontext -d -t httpd_t '/www/kmotion/www/www/cgi_bin/*'
semanage fcontext -a -t httpd_sys_content_t "/www(/.*)?" semanage fcontext -a -t httpd_sys_script_exec_t "/www/kmotion/www/www/cgi_bin(/.*)?"
restorecon -R -v -F /www
I think that should do it
On 06/23/2011 12:27 PM, Dominick Grift wrote:
On 06/23/2011 09:21 PM, Daniel B. Thurman wrote:
I am trying to bring kmotion under control of SeLinux, so how can I do it?
- I tried context httpd_exec_t and httpd_t, but neither seems to work, so out of the zillions of options which do I use as these files are
apache and python programs. (See log below):
semanage fcontext -a -t httpd_t '/www/kmotion/www/vhosts/kmotion' semanage fcontext -a -t httpd_t '/www/kmotion/www/www/cgi_bin' semanage fcontext -a -t httpd_t '/www/kmotion/www/www/cgi_bin/*'
semanage fcontext -d -t httpd_t '/www/kmotion/www/vhosts/kmotion' semanage fcontext -d -t httpd_t '/www/kmotion/www/www/cgi_bin' semanage fcontext -d -t httpd_t '/www/kmotion/www/www/cgi_bin/*'
semanage fcontext -a -t httpd_sys_content_t "/www(/.*)?" semanage fcontext -a -t httpd_sys_script_exec_t "/www/kmotion/www/www/cgi_bin(/.*)?"
restorecon -R -v -F /www
I think that should do it
Almost worked! I had to add to do:
semanage fcontext -a -t httpd_sys_content_rw_t "/www/kmotion/www/apache_logs(/.*)?" restorecon -R -v -F /www
And I was able to start httpd running on system reboot. However, while kmotion was running and doing things, I had to add:
semanage fcontext -a -t httpd_sys_content_rw_t "/www/kmotion/www/image_dbase(/.*)?" semanage fcontext -a -t httpd_sys_content_rw_t "/www/kmotion/www/mutex/www_rc" restorecon -R -v -F /www
But I ran into a tough nut to crack, setroubleshooter was complaining:
+ SELinux is preventing /usr/sbin/httpd from using potentially mislabeled files last_jpeg. + SELinux is preventing /usr/sbin/httpd from using potentially mislabeled files event.
These files are located in: /dev/shm/kmotion_ramdisk areas, so I added:
semanage fcontext -a -t httpd_sys_content_rw_t "/dev/shm/kmotion_ramdisk(/.*)?" restorecon -R -v -F /dev/shm/kmotion_ramdisk/
and yet, the odd-ball here is that all the files in this directory shows context as:
restorecon reset /dev/shm/kmotion_ramdisk/01/last_jpeg context system_u:object_r:httpd_sys_rw_content_t:s0->system_u:object_r:device_t:s0
restorecon reset /dev/shm/kmotion_ramdisk/events context system_u:object_r:httpd_sys_rw_content_t:s0->system_u:object_r:device_t:s0
Look carefully ==> _rw_ <== is put into the wrong position!
I could test this using chcon and the results are the same.
Something is preventing me from properly labelling the files in /dev/shm/kmotion_ramdisk area since _rw_ is put after 'sys' instead of after 'content'!
I tried:
chcon -R -t httpd_sys_content_rw_t /dev/shm/kmotion_ramdisk (_rw_ is in the wrong position)
I also tried to see if I get a different result as if _rw_ would be swapped:
chcon -R -t httpd_sys_rw_content_t /dev/shm/kmotion_ramdisk (_rw_ is still in the wrong position)
How do I fix this?
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 06/23/2011 11:36 PM, Daniel B. Thurman wrote:
Almost worked! I had to add to do:
But I ran into a tough nut to crack, setroubleshooter was complaining:
- SELinux is preventing /usr/sbin/httpd from using potentially
mislabeled files last_jpeg.
- SELinux is preventing /usr/sbin/httpd from using potentially
mislabeled files event.
These files are located in: /dev/shm/kmotion_ramdisk areas, so I added:
semanage fcontext -a -t httpd_sys_content_rw_t "/dev/shm/kmotion_ramdisk(/.*)?" restorecon -R -v -F /dev/shm/kmotion_ramdisk/
and yet, the odd-ball here is that all the files in this directory shows context as:
restorecon reset /dev/shm/kmotion_ramdisk/01/last_jpeg context system_u:object_r:httpd_sys_rw_content_t:s0->system_u:object_r:device_t:s0
Yes those two types are aliased buth have the same properties. i never understand why they did that.
restorecon reset /dev/shm/kmotion_ramdisk/events context system_u:object_r:httpd_sys_rw_content_t:s0->system_u:object_r:device_t:s0
Look carefully ==> _rw_ <== is put into the wrong position!
I could test this using chcon and the results are the same.
Something is preventing me from properly labelling the files in /dev/shm/kmotion_ramdisk area since _rw_ is put after 'sys' instead of after 'content'!
I tried:
chcon -R -t httpd_sys_content_rw_t /dev/shm/kmotion_ramdisk (_rw_ is in the wrong position)
I also tried to see if I get a different result as if _rw_ would be swapped:
chcon -R -t httpd_sys_rw_content_t /dev/shm/kmotion_ramdisk (_rw_ is still in the wrong position)
How do I fix this?
I dont see a need to fix that since those types are aliased.
You have another issue here though.
/dev//shm is a tmpfs meaning each time you boot it will be cleared.
i do not think that httpd_t is allowed to create files in /dev/shm by default.
So you would in that case need to allow httpd_t to create files (and directories) there. To do that properly you would probably need to create a type owned by apache, and allow apache to type transition in tmpfs_t directories.
example:
myapache.te
policy_module(myapache, 1.0.0)
gen_require(` type httpd_t; ')
type httpd_tmpfs_t; files_tmpfs_file(httpd_tmpfs_t)
manage_dirs_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) manage_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) fs_tmpfs_filetrans(httpd_t, httpd_tmpfs_t, { dir file })
then:
make -f /usr/share/selinux/devel/Makefile myapache.pp sudo semodule myapache.pp
service httpd stop rm -rf /dev/shm/kmotion_ramdisk service httpd start
If you would implement that policy then httpd_t would be allowed to create dirs and files in /dev/shm and it would create them with type httpd_tmpfs_t automatically.
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
On 06/23/2011 02:49 PM, Dominick Grift wrote:
On 06/23/2011 11:36 PM, Daniel B. Thurman wrote:
Almost worked! I had to add to do:
But I ran into a tough nut to crack, setroubleshooter was complaining:
- SELinux is preventing /usr/sbin/httpd from using potentially
mislabeled files last_jpeg.
- SELinux is preventing /usr/sbin/httpd from using potentially
mislabeled files event.
These files are located in: /dev/shm/kmotion_ramdisk areas, so I added:
semanage fcontext -a -t httpd_sys_content_rw_t "/dev/shm/kmotion_ramdisk(/.*)?" restorecon -R -v -F /dev/shm/kmotion_ramdisk/
and yet, the odd-ball here is that all the files in this directory shows context as:
restorecon reset /dev/shm/kmotion_ramdisk/01/last_jpeg context
system_u:object_r:httpd_sys_rw_content_t:s0->system_u:object_r:device_t:s0
Yes those two types are aliased buth have the same properties. i never understand why they did that.
restorecon reset /dev/shm/kmotion_ramdisk/events context
system_u:object_r:httpd_sys_rw_content_t:s0->system_u:object_r:device_t:s0
Look carefully ==> _rw_ <== is put into the wrong position!
I could test this using chcon and the results are the same.
Something is preventing me from properly labelling the files in /dev/shm/kmotion_ramdisk area since _rw_ is put after 'sys' instead of after 'content'!
I tried:
chcon -R -t httpd_sys_content_rw_t /dev/shm/kmotion_ramdisk (_rw_ is in the wrong position)
I also tried to see if I get a different result as if _rw_ would be
swapped:
chcon -R -t httpd_sys_rw_content_t /dev/shm/kmotion_ramdisk (_rw_ is still in the wrong position)
How do I fix this?
I dont see a need to fix that since those types are aliased.
You have another issue here though.
/dev//shm is a tmpfs meaning each time you boot it will be cleared.
i do not think that httpd_t is allowed to create files in /dev/shm by default.
So you would in that case need to allow httpd_t to create files (and directories) there. To do that properly you would probably need to create a type owned by apache, and allow apache to type transition in tmpfs_t directories.
example:
Do you mean that I must create an empty file called: myapache.te
myapache.te
Then add the following...
policy_module(myapache, 1.0.0)
gen_require(` type httpd_t; ')
type httpd_tmpfs_t; files_tmpfs_file(httpd_tmpfs_t)
manage_dirs_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) manage_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) fs_tmpfs_filetrans(httpd_t, httpd_tmpfs_t, { dir file })
to here....
then:
make -f /usr/share/selinux/devel/Makefile myapache.pp
I assume that the above make looks for myapache.te in the same directory?
Using kmotionApache.te
The results I got when doing the above on my Desktop space: ======================================= $ make -f /usr/share/selinux/devel/Makefile kmotionApache.pp find: `Falstad': No such file or directory find: `site': No such file or directory Compiling targeted kmotionApache module /usr/bin/checkmodule: loading policy configuration from tmp/kmotionApache.tmp /usr/bin/checkmodule: policy configuration loaded /usr/bin/checkmodule: writing binary representation (version 10) to tmp/kmotionApache.mod Creating targeted kmotionApache.pp policy package rm tmp/kmotionApache.mod.fc tmp/kmotionApache.mod ======================================= These files were created: + kmotionApache.if (0 length file) + kmotionApache.fc (0 length file) + kmotionApache.pp (binary file)
So at this point, I do not want to proceed until I am certain that I am getting the right results.... I cannot check out kmotionApache.pp since it is a binary file...
sudo semodule myapache.pp
service httpd stop rm -rf /dev/shm/kmotion_ramdisk service httpd start
If you would implement that policy then httpd_t would be allowed to create dirs and files in /dev/shm and it would create them with type httpd_tmpfs_t automatically.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 06/24/2011 12:07 AM, Daniel B. Thurman wrote:
Compiling targeted kmotionApache module /usr/bin/checkmodule: loading policy configuration from tmp/kmotionApache.tmp /usr/bin/checkmodule: policy configuration loaded /usr/bin/checkmodule: writing binary representation (version 10) to tmp/kmotionApache.mod Creating targeted kmotionApache.pp policy package rm tmp/kmotionApache.mod.fc tmp/kmotionApache.mod ======================================= These files were created:
- kmotionApache.if (0 length file)
- kmotionApache.fc (0 length file)
- kmotionApache.pp (binary file)
So at this point, I do not want to proceed until I am certain that I am getting the right results.... I cannot check out kmotionApache.pp since it is a binary file...
This looks ok to me.
sudo semodule myapache.pp
service httpd stop rm -rf /dev/shm/kmotion_ramdisk service httpd start
If you would implement that policy then httpd_t would be allowed to create dirs and files in /dev/shm and it would create them with type httpd_tmpfs_t automatically.
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
On 06/23/2011 03:25 PM, Dominick Grift wrote:
On 06/24/2011 12:07 AM, Daniel B. Thurman wrote:
Compiling targeted kmotionApache module /usr/bin/checkmodule: loading policy configuration from tmp/kmotionApache.tmp /usr/bin/checkmodule: policy configuration loaded /usr/bin/checkmodule: writing binary representation (version 10) to tmp/kmotionApache.mod Creating targeted kmotionApache.pp policy package rm tmp/kmotionApache.mod.fc tmp/kmotionApache.mod ======================================= These files were created:
- kmotionApache.if (0 length file)
- kmotionApache.fc (0 length file)
- kmotionApache.pp (binary file)
So at this point, I do not want to proceed until I am certain that I am getting the right results.... I cannot check out kmotionApache.pp since it is a binary file...
This looks ok to me.
sudo semodule myapache.pp
service httpd stop rm -rf /dev/shm/kmotion_ramdisk service httpd start
If you would implement that policy then httpd_t would be allowed to create dirs and files in /dev/shm and it would create them with type httpd_tmpfs_t automatically.
I decided to forego this step, since I relocated kmotion_ramdisk from /dev/shm to /www/kmotion for a couple of reasons; the /dev/shm space is too small for potentially large collection of kmotion files, and there are too many issues WRT to the fact that rebooting could clear the file structure, and it is difficult to keep up with changing context of which would annoy Selinux. Because SeLinux no longer complains, I removed the ramdisk context entry.
So far, everything seems to work.
Thank you for your help!
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 06/23/2011 05:49 PM, Dominick Grift wrote:
On 06/23/2011 11:36 PM, Daniel B. Thurman wrote:
Almost worked! I had to add to do:
But I ran into a tough nut to crack, setroubleshooter was complaining:
- SELinux is preventing /usr/sbin/httpd from using potentially
mislabeled files last_jpeg.
- SELinux is preventing /usr/sbin/httpd from using potentially
mislabeled files event.
These files are located in: /dev/shm/kmotion_ramdisk areas, so I added:
semanage fcontext -a -t httpd_sys_content_rw_t "/dev/shm/kmotion_ramdisk(/.*)?" restorecon -R -v -F /dev/shm/kmotion_ramdisk/
and yet, the odd-ball here is that all the files in this directory shows context as:
restorecon reset /dev/shm/kmotion_ramdisk/01/last_jpeg context system_u:object_r:httpd_sys_rw_content_t:s0->system_u:object_r:device_t:s0
Yes those two types are aliased buth have the same properties. i never understand why they did that.
We defined the type httpd_sys_content_rw_t originally, but upstream wanted it changed to httpd_sys_rw_content_t, so we created an ALIAS rather then forcing everyone to relabel.
restorecon reset /dev/shm/kmotion_ramdisk/events context system_u:object_r:httpd_sys_rw_content_t:s0->system_u:object_r:device_t:s0
Look carefully ==> _rw_ <== is put into the wrong position!
I could test this using chcon and the results are the same.
Something is preventing me from properly labelling the files in /dev/shm/kmotion_ramdisk area since _rw_ is put after 'sys' instead of after 'content'!
I tried:
chcon -R -t httpd_sys_content_rw_t /dev/shm/kmotion_ramdisk (_rw_ is in the wrong position)
I also tried to see if I get a different result as if _rw_ would be swapped:
chcon -R -t httpd_sys_rw_content_t /dev/shm/kmotion_ramdisk (_rw_ is still in the wrong position)
How do I fix this?
I dont see a need to fix that since those types are aliased.
You have another issue here though.
/dev//shm is a tmpfs meaning each time you boot it will be cleared.
i do not think that httpd_t is allowed to create files in /dev/shm by default.
So you would in that case need to allow httpd_t to create files (and directories) there. To do that properly you would probably need to create a type owned by apache, and allow apache to type transition in tmpfs_t directories.
example:
myapache.te
policy_module(myapache, 1.0.0)
gen_require(` type httpd_t; ')
type httpd_tmpfs_t; files_tmpfs_file(httpd_tmpfs_t)
manage_dirs_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) manage_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) fs_tmpfs_filetrans(httpd_t, httpd_tmpfs_t, { dir file })
We have this code in all Current Fedora 15 and beyond policy and RHEL6.
then:
make -f /usr/share/selinux/devel/Makefile myapache.pp sudo semodule myapache.pp
service httpd stop rm -rf /dev/shm/kmotion_ramdisk service httpd start
If you would implement that policy then httpd_t would be allowed to create dirs and files in /dev/shm and it would create them with type httpd_tmpfs_t automatically.
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
- -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
selinux@lists.fedoraproject.org