Fedora Linux Support Community & Resources Center

Go Back   FedoraForum.org > Fedora 19/20 > Security and Privacy
FedoraForum Search

Forgot Password? Join Us!

Security and Privacy Sadly, malware, spyware, hackers and privacy threats abound in today's world. Let's be paranoid and secure our penguins, and slam the doors on privacy exploits.

Reply
 
Thread Tools Search this Thread Display Modes
  #1  
Old 30th May 2006, 12:06 AM
Donsoloway Offline
Registered User
 
Join Date: Apr 2006
Posts: 6
Cannot FTP to /var/www/don/html with SELinux enabled

Hi,
I have two problems which I think they are similar.


1) I have a directory /var/www/don/html which is owned by don. I want to ftp some web pages, but I cannot cd to /var/www/don/html when SELinux is enabled. When I turn SELinux off it works. What do I need to set to allow this.


2) If I ftp to my home dir some html files and copy them to /var/www/don/html they cannot be read by the browser while SELinux is enabled.


Thanks in advance,
Don
Reply With Quote
  #2  
Old 12th June 2006, 03:53 AM
SlowJet Offline
Registered User
 
Join Date: Jan 2005
Posts: 5,048
One of the security features of SELinux is that each process runs in it's own username space.
For targeted policy, these are listed in the Security / Firewall gui.
For Strict policy, it get very complex as every tak is running in a seperate usernam space.

The httpd user has a context of http_t, don would have user_t, root has system_t

user don can not put anything into http - access denied.
(Since you did, this means /www/don dir is reality owned by don. - not allowed in httpd space.)

When the mv command is used the destination retains the context of the files.
If cp is used the files take on the context of the destination.
So http, don, and anyother regular user can not access the others files, change permissions or security context.

So how do you get files into other user names space.

SU -
password
root@domain
This is the guy that owns everything and via using a cp the files take on the context of the destination.
What is NOT seen is that in targeted policy switching to root is like an implied ROLE of admin AND Webadin.
In strick mode policy one may automatically be defined to be one of the several roles in the policy.
Or, for example, the main guy, i.e. = you, can be root, change to the role of admin, or go lower and change to the role of webadmin.
When one person is responsible for many functions, it's a matter of trusted policy and the one person following good security practice, i.e. change to webadmin before cp in root so (S)he doesn't screw up too much.

For you problem, make www/don and sub dir's owned by httpd
and cp with root (implied ROLE webadmin)
chown -R httpd:httpd /www/don
chmod as needed after the cp from /home/don

There is a provision for using html in a user dir but it is much less secure and puts both users (httpd and don) at risk.

Same type of thing for cgi scripts - only cp with root into www/cgi (And PHP)

SJ
__________________
Do the Math
Reply With Quote
  #3  
Old 15th June 2006, 06:11 PM
fredm6463 Offline
Registered User
 
Join Date: Apr 2006
Posts: 11
vsftpd security

I am having similar problem.

With SELinux enabled, I cannot ftp as a user on the system. Error message is: cannot open /home/user.
I turn off SELinux security and all is fine.
How do I get vsftp to work with SELinux security enabled?

Thanks.
Reply With Quote
  #4  
Old 15th June 2006, 10:25 PM
landoncz Offline
Registered User
 
Join Date: Dec 2005
Location: Florida, USA
Age: 35
Posts: 338
Perhaps you need to modify your SELinux policy... type (as root):
Code:
system-config-securitylevel
And select the SELinux tab. If the mode is set to enforcing, browse down to the FTP service options, and check the box that says "Allow FTP to read/write to user's home directory" or something like that. Then, all should be well...
Attached Thumbnails
Click image for larger version

Name:	Screenshot.png
Views:	160
Size:	37.5 KB
ID:	8387  
__________________
Fedora Core 6 on Asus Z63A 14" Laptop
2.0 Ghz Pentium M
1 Gig RAM
100 Gig 7200 RPM

Code:
# rm -rf /dev/brain

Last edited by landoncz; 15th June 2006 at 10:27 PM.
Reply With Quote
  #5  
Old 24th June 2006, 06:43 AM
pacifico Offline
Registered User
 
Join Date: Nov 2004
Posts: 49
I'm having the same problem, but it is on a server with no GUI installed. How do I change the context to system_u:object_r:httpd_sys_content_t for my directory?

ls -Z currently yields
Quote:
-rw-r--r-- root root user_u:object_r:var_t index.html
drwxr-xr-x root root user_u:object_r:var_t yum
Thanks.
-al
Reply With Quote
  #6  
Old 24th June 2006, 03:48 PM
pacifico Offline
Registered User
 
Join Date: Nov 2004
Posts: 49
Smile Solved

Figured it out...
chcon -c -R --reference=/var/www /srv/www/html/
relabeled the directory and its contents.
Reply With Quote
Reply

Tags
enabled, ftp, selinux

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Selinux, automount .iso with selinux enabled? leadgolem Security and Privacy 0 15th September 2007 01:37 AM
Enabled SELINUX now can't login.... Evil-I Security and Privacy 5 25th May 2006 05:13 PM
why would i want to keep SELinux enabled? sirbrett Using Fedora 8 11th May 2005 08:19 AM


Current GMT-time: 11:11 (Saturday, 26-07-2014)

TopSubscribe to XML RSS for all Threads in all ForumsFedoraForumDotOrg Archive
logo

All trademarks, and forum posts in this site are property of their respective owner(s).
FedoraForum.org is privately owned and is not directly sponsored by the Fedora Project or Red Hat, Inc.

Privacy Policy | Term of Use | Posting Guidelines | Archive | Contact Us | Founding Members

Powered by vBulletin® Copyright ©2000 - 2012, vBulletin Solutions, Inc.

FedoraForum is Powered by RedHat