SELinux Blocking Certain Web Files?

Cody · #1 1st May 2006, 11:04 PM

Hi! I run a webserver on FC5. I have noticed, however, that if I create a file as root, put it in /var/www/html, and share it, it opens fine. However, if I create a file as my user, put it in /var/www/html as root, and share it, it won't open. This is regardless of if I chmod 777 the file, or chown root:root the file. It will not open. Here are the lines I am seeing in /var/log/messages:

Code:

May  1 16:34:14 thor kernel: audit(1146519254.957:24): avc:  denied  { getattr } for  pid=31198 comm="httpd" name="h1.jpg" dev=dm-0 ino=2097225 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=fileMay  1 16:35:10 thor kernel: audit(1146519310.641:25): avc:  denied  { getattr } for  pid=31202 comm="httpd" name="h1.jpg" dev=dm-0 ino=2097225 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=fileMay  1 16:35:10 thor kernel: audit(1146519310.661:26): avc:  denied  { getattr } for  pid=31202 comm="httpd" name="h1.jpg" dev=dm-0 ino=2097225 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=fileMay  1 16:35:37 thor kernel: audit(1146519337.013:27): avc:  denied  { getattr } for  pid=31204 comm="httpd" name="h1.jpg" dev=dm-0 ino=2097225 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=fileMay  1 16:35:37 thor kernel: audit(1146519337.049:28): avc:  denied  { getattr } for  pid=31204 comm="httpd" name="h1.jpg" dev=dm-0 ino=2097225 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=fileMay  1 16:35:39 thor kernel: audit(1146519338.981:29): avc:  denied  { getattr } for  pid=31200 comm="httpd" name="h1.jpg" dev=dm-0 ino=2097225 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=fileMay  1 16:35:39 thor kernel: audit(1146519339.021:30): avc:  denied  { getattr } for  pid=31200 comm="httpd" name="h1.jpg" dev=dm-0 ino=2097225 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=file

I have had this issue with several files. Any ideas?

Cody

pete_1967 · #2 2nd May 2006, 12:48 AM

Quite peculiar since that's an image that is denied (h1.jpg). Check permissions for the image. Also check what user/group Apache is running as and check that directories & files are set to world readable.

I always set Apache to non-default user & group, add myself to group and chown directories for the user/ group, never hava had a problem.

***Firewing1*** · #3 2nd May 2006, 01:00 AM

I just disable SELinux for that reason.
Firewing1

icydog · #4 2nd May 2006, 01:02 AM

Do this:

Code:

chcon -t httpd_sys_content_t h1.jpg

Of course, after this, don't chmod 777 the file. The apache user only needs the read permission, so 744 is fine if the file is owned by root.

If you actually need 777 on some file, for example an upload directory, use chcon -t httpd_sys_script_rw_t and chmod 777 on it so that apache can write to it.

Cody · #5 2nd May 2006, 01:04 AM

Do I have to do this for each and every file that I am hoping to share? That could be quite a PITA

Cody

icydog · #6 2nd May 2006, 01:10 AM

/var/www/html is labeled at httpd_sys_content_t by default, and it seems like your system is working so that's probably right. So if you make new files in that directory (under any user), it'll be labeled httpd_sys_content_t as well. Also, if you do something like cp ~myuser/somefile.html /var/www/html, then that new file will also have the correct label. I'm pretty sure the only time you'll have to manually relabel stuff is if you do mv ~myuser/somefile.html /var/www/html because that doesn't affect security labels or permissions.

You can just do chcon -t httpd_sys_content_t * in that directory because you shouldn't have any other type of file in /var/www/html anyways.

pete_1967 · #7 2nd May 2006, 01:29 AM

Quote:

Originally Posted by Firewing1

I just disable SELinux for that reason.

Well, that's pretty dangerous thing to do unless your server is not accessible by public.

icydog · #8 2nd May 2006, 01:35 AM

Not really -- I mean, most linux servers out there don't have SELinux enabled. Only a few distros support it anyways.

But doesn't it just make you feel safer with it on?

So if you get pwned, you won't say "well, I could have enabled SELinux to prevent that...

Cody · #9 2nd May 2006, 01:42 AM

Cool. I will remember to CP files to that directory instead of MV them from now on. I should do that anyways. But regardless, I would agree that I'd like to keep SELinux enabled. This is just a personal server with nothing terribly important on it, but it's my first time and so I'd like to be as secure as possible.

Thanks!

Cody

Spoon! · #10 2nd May 2006, 01:43 AM

Quote:

Originally Posted by Cody

Do I have to do this for each and every file that I am hoping to share? That could be quite a PITA

Cody

So when you create new files in the directory it should inherit the correct context automatically. If you move files from elsewhere or otherwise preserve attributes, then it won't have the correct context. You can always do "restorecon -R /var/www/html" to restore correct context to everything under your web directory, for example.

pete_1967 · #11 2nd May 2006, 01:46 AM

Quote:

Originally Posted by icydog

Not really -- I mean, most linux servers out there don't have SELinux enabled.

You have stats to back that up (especially for those that have it but is disabled)?

Quote:

Originally Posted by icydog

Only a few distros support it anyways.

So because not all distros support it, it's not worth using? That's rationalization if I've ever heard of one!

Quote:

Originally Posted by icydog

But doesn't it just make you feel safer with it on?

No, it makes the system more secure.

Quote:

Originally Posted by icydog

So if you get pwned

Cool, 1337 speek h4Xx0r stuff. I'm impressed.

Quote:

Originally Posted by icydog

, you won't say "well, I could have enabled SELinux to prevent that...

There's no such a thing as 100% secure server, but only fool doesn't use all tools at his disposal to make server as secure as possible.

icydog · #12 2nd May 2006, 02:02 AM

Pete, I'm don't post on this board to waste my time flaming you. I agree that keeping SELinux on is a good idea. There is no need to be hostile. Let's move on with life.

--edit

By the way, here are distros that don't support SELinux by default:
Debian (except unstable)
SUSE
Gentoo (not hardened)
Slackware
Ubuntu

http://selinux.sourceforge.net/

I'd say that makes up a pretty good chunk of the Linuxes out there?

pete_1967 · #13 2nd May 2006, 02:14 AM

Quote:

Originally Posted by icydog

Pete, I'm don't post on this board to waste my time flaming you. I agree that keeping SELinux on is a good idea. There is no need to be hostile. Let's move on with life.

--edit

By the way, here are distros that don't support SELinux by default:
Debian (except unstable)
SUSE
Gentoo (not hardened)
Slackware
Ubuntu

http://selinux.sourceforge.net/

I'd say that makes up a pretty good chunk of the Linuxes out there?

I don't post to this forum flaming you either (nor I am), but I do post this board if someone is suggesting not-so-smart advice especially to someone who is relatively inexperienced user.

The list of distros not supporting SELinux has nothing to do with the percentile of webservers running without SELinux, especially of those servers that are SELinux enabled by default.

So, if you make a claim that 'most' something are/do something, you should be able to provide hard data (or somewhat reliable stats) to back it up. That's why I am asking you to show something concrete to prove your claim that most servers are running without SELinux.

And, if you consider disagreeing with you and asking you to prove your claim 'hostility' then so be it.

***Firewing1*** · #14 2nd May 2006, 03:05 AM

Quote:

Originally Posted by pete_1967

Well, that's pretty dangerous thing to do unless your server is not accessible by public.

Actually, not at all. I mean, theoretically yes it's *less* secure but as previously mentioned it's not supported on all systems anyways and I run a strong Firewall + check my logs regularly. No hack attempts ever recorded. I also run HTTP on SSL only, so only secure connections.
Firewing1

***Firewing1*** · #15 2nd May 2006, 03:07 AM

edit: oops, sorry for the 2x posts, I was reading different parts of the thread in 2 seperate tabs at a time, and responded to both...

Quote:

Originally Posted by pete_1967

I don't post to this forum flaming you either (nor I am), but I do post this board if someone is suggesting not-so-smart advice especially to someone who is relatively inexperienced user.

The list of distros not supporting SELinux has nothing to do with the percentile of webservers running without SELinux, especially of those servers that are SELinux enabled by default.

So, if you make a claim that 'most' something are/do something, you should be able to provide hard data (or somewhat reliable stats) to back it up. That's why I am asking you to show something concrete to prove your claim that most servers are running without SELinux.

And, if you consider disagreeing with you and asking you to prove your claim 'hostility' then so be it.

I see where you're coming from - but the same goes the other way. Why make newbs use the CLI all the time, and get deep into SELinux permissions when all they want to do is use it at home? It's not completely nescissary for a home server, unless you're in a business setting and you need that extra security layer. IMHO Linux is secure enough without SELinux running for home servers.
lol, we're starting the WWW III of FedoraForum... Not to be hostile, but just to show - the firewing1.homelinux.net is my home server run off my P4 1.9GHz Dell. Check it out, snoop around, try to "hack" your way in. It's completely locked up, and without SELinux. Run a port scan, you'll find little ports are open with a strong Firewall.
Firewing1