Dan Walsh's Blog

Got SELinux?

Previous Entry Add to Memories Share Next Entry
Solution to /myapache labeling problem from yesterday...
Twitter's @Plaimclock  tweeted me @rhatdan yester. 
He pointed out that  yesterdays blog on SELinux Labeling did not provide a solution to the /myapache problem.

The solution is to label /myapache and all its children with a label httpd can read. 

You can figure this out by using:

man httpd_selinux

       - Set files with the httpd_sys_content_t type, if you want to treat the
       files as httpd sys content.

            /usr/share/icecast(/.*)?,                  /usr/share/htdig(/.*)?,
            /etc/htdig(/.*)?,                         /var/www/svn/conf(/.*)?,
            /usr/share/doc/ghc/html(/.*)?,       /usr/share/mythtv/data(/.*)?,
            /var/lib/htdig(/.*)?,                         /srv/gallery2(/.*)?,
            /srv/([^/]*/)?www(/.*)?,               /usr/share/ntop/html(/.*)?,
            /usr/share/mythweb(/.*)?,                /var/lib/cacti/rra(/.*)?,
            /usr/share/openca/htdocs(/.*)?,            /usr/share/selinux-pol‐
            icy[^/]*/html(/.*)?,   /usr/share/drupal.*,   /var/lib/trac(/.*)?,
            /var/www(/.*)?, /var/www/icons(/.*)?


# ls -lZd /var/www/html
drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 /var/www/html

You could simply put the labels in place using chcon.

chcon -R -t httpd_sys_content_t /myapache

The best solution is to tell SELinux about the label change.

# semanage fcontext -a -t httpd_sys_content_t '/myapache(/.*)?'
# restorecon -R -v /myapache


Note:  If you wanted to allow httpd to write to the directory you would use the httpd_sys_rw_content_t type.

Re: Deny process httpd read passwd (/etc/passwd) file


2012-06-19 12:35 pm (UTC)

That is actually a more difficult problem with the way we write policy now. Lots of apps are attempting to read /etc/passwd to translate the UID of apache or the UID of root. In Fedora 17 I have added a label to /etc/passwd which I am allowing most domains to read, only blocking domains like svirt and svirt_lxc, maybe denying read to apache via boolean?

One alternative way to handle this would be to use unshare and bind mounts to bind an locked down version of /usr/share/etc/passwd over /etc/passwd where the only accounts in /etc/passwd were system accounts and none of them were logginable. Then the apache process would be allowed to read /etc/passwd but would not be able to see user accounts.

No HTML allowed in subject


(will be screened)

You are viewing danwalsh