danwalsh


Dan Walsh's Blog

Got SELinux?


Previous Entry Share Next Entry
setroubleshootd in action.
danwalsh
One of the big advancements, in SELinux is the introduction of the setroubleshooter. This is available for the first time in
Fedora Core 6 and Red Hat Enterprise Linux Beta 2.

The following is a mechanism to demonstrate how this tool works.

A common SELinux problem admins hit is a service being denied access to mislabeled files. For example, an admin may edit web files in his home directorys and them move (mv) them to the system's web directory to display them via Apache. SELinux does not allow Apache to display the page because the file is labeled with the security context of the users home directory and Apache is not allowed to read users homedirectory files. In order to demonstrate the setroubleshoot can simulate this by setting up the web server with an incorrect security context and trying to view the page.

# First make sure setroubleshoot and httpd are installed
> yum install setroubleshoot httpd
# Now change the security context on /var/www/html/index.html to a users home directory context
> chcon -t user_home_t /var/www/html/index.html
# Now start the two services
> service setroubleshoot start
> service httpd start
# Log in as a normal user, bring up firefox and goto http://localhost
# You should see a denial on firefox
# An icon should appear in the upper right hand corner indicating an SELinux Denial has occured
# Click on the icon for the troubleshoot to launch
# The troubleshooter will explain what has happened and explain how to fix the problem.

If you look at the /var/log/audit/audit.log you will see the complete SELinux message in all its gory details.

ausearch -m avc
----
time->Mon Nov 13 09:33:05 2006
type=AVC_PATH msg=audit(1163428385.431:226): path="/var/www/html/index.html"
type=SYSCALL msg=audit(1163428385.431:226): arch=40000003 syscall=196 success=no exit=-13 a0=9ed02c0 a1=bfccf98c a2=aa0ff4 a3=2008171 items=0 ppid=4094 pid=4098 auid=3267 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) comm="httpd" exe="/usr/sbin/httpd" subj=user_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1163428385.431:226): avc: denied { getattr } for pid=4098 comm="httpd" name="index.html" dev=dm-0 ino=6260297 scontext=user_u:system_r:httpd_t:s0 tcontext=system_u:object_r:user_home_t:s0 tclass=file


If you look in /var/log/messages you will see more of an explanation

Nov 13 09:31:57 localhost setroubleshoot: SELinux is preventing the /usr/sbin/httpd from using potentially mislabeled files (/var/www/html/index.html). See audit.log for complete SELinux messages. id = a3ad0690-dfb3-4077-9e51-5627f0bfb2db

The troubleshooter will have the complete description.

I instead receive a "You don't have permission to access / on this server." "Apache/2.2.3 (Fedora) Server at localhost Port 80" No Icon for selinux
Could you include a screenshot of the event?


[root@Notebook1 ~]# service setroubleshoot restart
Stopping setroubleshootd: [ OK ]
Starting setroubleshootd: [ OK ]
[root@Notebook1 ~]# service httpd restart
Stopping httpd: [ OK ]
Starting httpd: [ OK ]
[root@Notebook1 ~]# ls -la /var/www/html
total 24
drwxr-xr-x 2 root root 4096 Nov 21 04:51 .
drwxr-xr-x 6 root root 4096 Nov 18 20:33 ..
-rw-r--r-- 1 jim jim 201 Nov 21 05:02 index.html
[root@Notebook1 ~]# su jim
[jim@Notebook1 root]$ /sbin/service --status-all
anacron is stopped
atd is stopped
automount is stopped
Avahi daemon is not running
Avahi DNS daemon is not running
hcid is stopped
sdpd is stopped
capi not installed - No such file or directory (2)
cpuspeed is stopped
crond (pid 2208) is running...
cupsd is stopped
cups-config-daemon is obsolete
cat: /var/run/dhcdbd.pid: Permission denied
Device not specified in /etc/sysconfig/diskdump
dund is stopped
Usage: /etc/init.d/firstboot {start|stop}
gpm (pid 2176) is running...
hald is stopped
hidd is stopped
hpiod is stopped
hpssd is stopped
Only 'root' may use this init script
httpd (pid 6901) is running...
/etc/init.d/ip6tables: line 45: /etc/sysconfig/ip6tables-config: Permission denied
Firewall is not configured. <--- maybe the issue is here? selinux is set to enforcing.
irattach is stopped
lircmd is stopped
lircd is stopped
mdmpd is stopped
dbus-daemon (pid 5064) is running...
multipathd is stopped
nasd dead but subsys locked
Server address not specified in /etc/sysconfig/netdump
netplugd is stopped
Configured devices:
lo eth0 eth1
Currently active devices:
lo eth0 eth1
NetworkManager (pid 2385) is running...
NetworkManagerDispatcher is stopped
rpc.mountd is stopped
nfsd is stopped
rpc.rquotad is stopped
rpc.statd (pid 1892) is running...
nscd is stopped
ntpd is stopped
pand is stopped
/etc/init.d/functions: line 137: /var/run/pcscd.pid: Permission denied
pcscd dead but pid file exists
portmap dead but subsys locked
Process accounting is disabled.
rdisc is stopped
restorecond (pid 4652) is running...
rpc.idmapd is stopped
saslauthd is stopped
sendmail is stopped
smartd dead but subsys locked
spamd is stopped
sshd (pid 2065) is running...
/etc/init.d/functions: line 137: /var/run/syslogd.pid: Permission denied
syslogd dead but pid file exists
/etc/init.d/functions: line 137: /var/run/klogd.pid: Permission denied
klogd dead but pid file exists
Xvnc is stopped
winbindd is stopped
wpa_supplicant is stopped
xfs (pid 2246) is running...
ypbind is stopped


jim

resolved

A: forgot that apache needs to be the owner of files and the setcon error popped up

B: change the type to httpd_sys_content_t resolvce

You are viewing danwalsh