• 1
Hi, Dan!
Thats great, that you spent some time reading my blog entry.
Thanks for great cheat-sheet for Apache booleans at RHEL6-7.

By the way, I want to notice, that I run test at unmodified configurations.
Better experience was shown in my another practice:
http://ptresearch.blogspot.com/2012/07/introduction-to-selinux-modification-of.html

Watch for Drupal Magazine Blog that further discusses Apache and SELinux

lsox thanks I will read your blog, any time you write on SELinux, make sure you tweet it to me.

Nice writeup, but still too complex

In an ideal world, SELinux policies would be generated automatically by the system by parsing Apache config files.
Really, having to configure everything twice in separate places is too hard. Hard to remember, hard to maintain.
Heck, most sysadmins can not even properly set up Apache configuration for proper security...

Re: Nice writeup, but still too complex

I agree. Patches accepted. :^)

The problem here is that SELinux confines a lot more then just apache. Writing a tool that would figure out each packages configuration is just impossible. But since Apache is the most complicated it would be cool to write a config tool that could analyze apache config and then configure SELinux labeling and booleans to match the config. Watch for a much longer article about to be published in Drupal Magazine on SELinux and Apache Configuration.

Apache security - contd.

In continuation to my previous mail...

The 'allow httpd_t...' rules posted are generated from avc: denied messages.

Regards
Salim Pathan

Re: Apache security - contd.

Looks like you are running an SELinux aware application within httpd_t domain. One that is actually trying to setup proper labeling, perhaps a kerberos Library.

Re: Apache security - contd.

I'm getting these AVC messages(SELinux in Permissive mode) when restarting httpd daemon:

type=AVC msg=audit(1350035968.613:18551): avc: denied { read } for pid=6302 comm="httpd" name="mls" dev=selinuxfs ino=12 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file
type=AVC msg=audit(1350035968.613:18551): avc: denied { open } for pid=6302 comm="httpd" name="mls" dev=selinuxfs ino=12 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file
type=AVC msg=audit(1350035970.009:18552): avc: denied { search } for pid=6303 comm="httpd" name="selinux" dev=sda3 ino=128829 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=dir
type=AVC msg=audit(1350035970.009:18552): avc: denied { read } for pid=6303 comm="httpd" name="config" dev=sda3 ino=130145 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file
type=AVC msg=audit(1350035970.009:18552): avc: denied { open } for pid=6303 comm="httpd" name="config" dev=sda3 ino=130145 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file
type=AVC msg=audit(1350035970.009:18553): avc: denied { getattr } for pid=6303 comm="httpd" path="/etc/selinux/config" dev=sda3 ino=130145 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file
type=AVC msg=audit(1350035970.009:18554): avc: denied { search } for pid=6303 comm="httpd" name="contexts" dev=sda3 ino=129181 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:default_context_t:s0 tclass=dir
type=AVC msg=audit(1350035970.009:18554): avc: denied { search } for pid=6303 comm="httpd" name="files" dev=sda3 ino=129187 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:file_context_t:s0 tclass=dir
type=AVC msg=audit(1350035970.010:18555): avc: denied { read } for pid=6303 comm="httpd" name="file_contexts" dev=sda3 ino=131611 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:file_context_t:s0 tclass=file
type=AVC msg=audit(1350035970.010:18555): avc: denied { open } for pid=6303 comm="httpd" name="file_contexts" dev=sda3 ino=131611 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:file_context_t:s0 tclass=file
type=AVC msg=audit(1350035970.010:18556): avc: denied { getattr } for pid=6303 comm="httpd" path="/etc/selinux/targeted/contexts/files/file_contexts" dev=sda3 ino=131611 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:file_context_t:s0 tclass=file
type=AVC msg=audit(1350035970.132:18557): avc: denied { setfscreate } for pid=6303 comm="httpd" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:system_r:httpd_t:s0 tclass=process


I've carefully gone through above messages, but could not figure out the root problem...

any help?


Thanks, Regards
Salim Pathan

Re: Apache security - contd.

Did you setup apache to use kerberos?

Re: Apache security - contd.

I just added these rules to Fedora 18, since I see that using an kerberos rcache file will require them.

Re: Apache security - contd.

No I did not set up apache to use kerberos... The only thing I did on my box is to install openssl & openssh from source package(not from RPM). Is this created problem with file labeling?

Re: Apache security - contd.

Contact me via email or on selinux@lists.fedoraproject.org easier to deal with then these messages.

Re: Apache security - contd.

Hi Dan,

May I've your email ID?

Thanks, Regards

Re: Apache security - contd.

dwalsh@redhat.com

  • 1
?

Log in