danwalsh


Dan Walsh's Blog

Got SELinux?


Previous Entry Add to Memories Share Next Entry
Solution to /myapache labeling problem from yesterday...
danwalsh
Twitter's @Plaimclock  tweeted me @rhatdan yester. 
He pointed out that  yesterdays blog on SELinux Labeling did not provide a solution to the /myapache problem.

The solution is to label /myapache and all its children with a label httpd can read. 

You can figure this out by using:

man httpd_selinux
...
      httpd_sys_content_t

       - Set files with the httpd_sys_content_t type, if you want to treat the
       files as httpd sys content.

       Paths:
            /usr/share/icecast(/.*)?,                  /usr/share/htdig(/.*)?,
            /etc/htdig(/.*)?,                         /var/www/svn/conf(/.*)?,
            /usr/share/doc/ghc/html(/.*)?,       /usr/share/mythtv/data(/.*)?,
            /var/lib/htdig(/.*)?,                         /srv/gallery2(/.*)?,
            /srv/([^/]*/)?www(/.*)?,               /usr/share/ntop/html(/.*)?,
            /usr/share/mythweb(/.*)?,                /var/lib/cacti/rra(/.*)?,
            /usr/share/openca/htdocs(/.*)?,            /usr/share/selinux-pol‐
            icy[^/]*/html(/.*)?,   /usr/share/drupal.*,   /var/lib/trac(/.*)?,
            /var/www(/.*)?, /var/www/icons(/.*)?



Or

# ls -lZd /var/www/html
drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 /var/www/html


You could simply put the labels in place using chcon.

chcon -R -t httpd_sys_content_t /myapache

The best solution is to tell SELinux about the label change.

# semanage fcontext -a -t httpd_sys_content_t '/myapache(/.*)?'
# restorecon -R -v /myapache


Done

Note:  If you wanted to allow httpd to write to the directory you would use the httpd_sys_rw_content_t type.

Deny process httpd read passwd (/etc/passwd) file

Giang Nam

2012-06-18 08:32 am (UTC)

Hi Dan Walsh

How to deny httpd read passwd (/etc/passwd) file ?
I want to write selinux policy for the above problem.
Can you help me ?

(Deleted comment)

Re: Deny process httpd read passwd (/etc/passwd) file

danwalsh

2012-06-19 12:35 pm (UTC)

That is actually a more difficult problem with the way we write policy now. Lots of apps are attempting to read /etc/passwd to translate the UID of apache or the UID of root. In Fedora 17 I have added a label to /etc/passwd which I am allowing most domains to read, only blocking domains like svirt and svirt_lxc, maybe denying read to apache via boolean?

One alternative way to handle this would be to use unshare and bind mounts to bind an locked down version of /usr/share/etc/passwd over /etc/passwd where the only accounts in /etc/passwd were system accounts and none of them were logginable. Then the apache process would be allowed to read /etc/passwd but would not be able to see user accounts.

Re: Deny process httpd read passwd (/etc/passwd) file

lethanhthien

2012-06-20 09:51 am (UTC)

thanks for helping me.
" maybe denying read to apache via boolean? " Can i use boolean ?

Not currently this is something we would need to add to policy.

You are viewing danwalsh