SELinux and website - ( web plus ftp access )

warlordQ · #1 25th July 2006, 06:57 PM

I want to host many websites on my server, now my clients need to be able to ftp into their homepages... it sounds simple, and it is.. but if you add SELinux into the equation your pretty much nailed with the defaults, unless you know how to use SELinux properly...

I have been reading some stuff on SELinux...
http://fedoraproject.org/wiki/SELinux - ( all the links )
http://fedora.redhat.com/docs/selinux-faq-fc5/

add more links from google... and many days of reading... and i still dont know much about SELinux...
When i search these forums for answers, everybody says turn SELinux off...

Heres my problem: ( SELiux related )
-------------------------

I have setup a user who wants a website, his home folder is located:
/var/users/k/kojik/

his website is located
/var/users/k/kojik/public_html/

2 things:- 1 he cant ftp into his home folder, 2 apache cant access his website unless i change permission on his /var/users/k/kojik/ ....

here are his folder details:

Quote:

[root@vhost ~]# ls -Z /var/users/k/
drwx------ kojik kojik system_u:object_r:user_home_dir_t kojik
[root@vhost ~]# ls -Z /var/users/k/kojik/
drwxr-xr-x root root user_u:object_r:httpd_sys_content_t public_html
[root@vhost ~]#

i ran the genhomedircon after i created the kojik home directory...
heres whats inside the /etc/selinux/targeted/contexts/files/filecontexts.homedirs after i ran genhomedircon...

Quote:

#
#
# User-specific file contexts, generated via /usr/sbin/genhomedircon
# use semanage command to manage system users in order to change the file_context
#
#

#
# Home Context for user user_u
#

/home/[^/]*/.+ user_u:object_r:user_home_t:s0
/home/[^/]*/.*/plugins/libflashplayer\.so.* -- user_u:object_r:textrel_shlib_t:s0
/home/[^/]*/((www)|(web)|(public_html))(/.+)? user_u:object_r:httpd_user_content_t:s0
/home/[^/]* -d user_u:object_r:user_home_dir_t:s0
/home/lost\+found/.* <<none>>
/home -d system_u:object_r:home_root_t:s0
/home/\.journal <<none>>
/home/lost\+found -d system_u:object_r:lost_found_t:s0

#
# Home Context for user user_u
#

/var/users/k/[^/]*/.+ user_u:object_r:user_home_t:s0
/var/users/k/[^/]*/.*/plugins/libflashplayer\.so.* -- user_u:object_r:textrel_shlib_t:s0
/var/users/k/[^/]*/((www)|(web)|(public_html))(/.+)? user_u:object_r:httpd_user_content_t:s0
/var/users/k/[^/]* -d user_u:object_r:user_home_dir_t:s0
/var/users/k/lost\+found/.* <<none>>
/var/users/k -d system_u:object_r:home_root_t:s0
/var/users/k/\.journal <<none>>
/var/users/k/lost\+found -d system_u:object_r:lost_found_t:s0

#
# Home Context for user root
#

/root/.+ root:object_r:user_home_t:s0
/root/.*/plugins/libflashplayer\.so.* -- root:object_r:textrel_shlib_t:s0
/root/((www)|(web)|(public_html))(/.+)? root:object_r:httpd_user_content_t:s0
/root -d root:object_r:user_home_dir_t:s0

Now i rebooted.... and he still cant log in...
Theres something else i have to do, i have no idea what...

heres a list of my booleans: ( Displayed are ftp and http only )

Quote:

[root@vhost ~]# /usr/sbin/getsebool -a
allow_ftpd_anon_write --> on
allow_ftpd_use_cifs --> off
allow_ftpd_use_nfs --> off
allow_httpd_anon_write --> off
allow_httpd_mod_auth_pam --> off
allow_httpd_sys_script_anon_write --> off
ftp_home_dir --> on
ftpd_disable_trans --> off
ftpd_is_daemon --> on
httpd_builtin_scripting --> on
httpd_can_network_connect --> on
httpd_can_network_connect_db --> off
httpd_can_network_relay --> off
httpd_disable_trans --> off
httpd_enable_cgi --> on
httpd_enable_ftp_server --> off
httpd_enable_homedirs --> on
httpd_rotatelogs_disable_trans --> off
httpd_ssi_exec --> on
httpd_suexec_disable_trans --> off
httpd_tty_comm --> off
httpd_unified --> on

Anybody here know what i must do??

FedoraUK · #2 25th July 2006, 07:28 PM

Hi. First, are you running an X server? In Gnome under the System -> Administraion menu there's a "Security Level and Firewall" app. In it, it allows you to select various SELinux and Firewall permissions pertaining to all parts of the system including ftp and webserver.

If you're not running a GUI then I can't help further because I no zip all about SELinux.

Have you tried changing ownership of /kojik to kojik from root?

warlordQ · #3 26th July 2006, 04:23 AM

I have access to the gui firewall/SELinux, which by the way just changes these booleans... you can use eighther GUI or CLI... ive tried all that but its not working...

If i turn SELinux off, everything just works no probs... but if i turn SELinux on, ftp wont work...

heres an error code:

Quote:

220 Welcome to Troys FTP service.
USER kojik

331 Please specify the password.
PASS xxxx
500 OOPS: cannot change directory:/var/users/k/kojik
Disconnecting from site vhost.dnsalias.net

Im thinking that i must load this policy in or something... commands here:
http://fedoraproject.org/wiki/SELinux/Commands

how do i load the policy in??

warlordQ · #4 26th July 2006, 06:43 AM

Ok, i did it!!! Its working

....

SELinux is on and its all working

....

Most people here have disabled SELinux, becuase nobody really knows too much about it, and the SELinux default settings are too restrictive...

To the moderators here, you might want to make this a sticky

....

heres how i got SELinux working with the new user home folder ( which is also located on another hard drive partion )... this user must be able to ftp into his home folder, ( everybody else must not have read and write permissions - apache, webalizer, log must have entry access only )... this user wants a website...

Now im going to give you a real world example with proper file locations that i used, hopefully you can set it up on your own system in any location....

first thing: you need is to makesure you have the checkpolicy package installed, if its not installed then..

Quote:

yum install checkpolicy

in the base directory where you want your users to have their websites, that root part of that folder you need to make it readable via apache... in my case, we type in:

Quote:

su -
mkdir /var/users/

then when make it world readable:

Quote:

chcon -R -t httpd_sys_content_t /var/users/

then i create another folder "k"

Quote:

mkdir /var/users/k

now we need to create a new user with the home folder located in /var/users/k/

Quote:

/sbin/useradd -c "Name of user" -m -d /var/users/k/ kojik
passwd --stdin
mkdir /var/users/k/kojik/public_html
chcon -R -t httpd_sys_content_t /var/users/k/kojik/public_html/

now we need to add this users new home directory into SELinux ( SELinux requires the user to be created first ).. what we will do is add this new entry into /etc/selinux/targeted/contexts/files/filecontexts.homedirs file... we do not edit this file directly.. instead we use the genhomedircon script to edit this file...

Quote:

/sbin/genhomedircon -t targeted

where targeted is the policy currently running...

now we need to build the new policy file and load that into the kernel... first we will make an error via ftping into the home directory.. this will creat a logged message into the /var/audit/audit.log or /var/messages... it depends if you have audit running as a service...

ftp in with the new user and password, this will fail... now copy the message into a separate file....
example error message:

Quote:

Jul 26 12:16:58 vhost kernel: audit(1153883818.969:328): avc: denied { search } for pid=16948 comm="vsftpd" name="users" dev=hdb1 ino=33390593 scontext=system_u:system_r:ftpd_t:s0 tcontext=user_u:object_r:httpd_sys_content_t:s0 tclass=dir

save to file example: /home/USER/ftpfail.log

now run audit2why on that file to produce a message:

Quote:

/usr/sbin/audit2why < /home/USER/ftpfail.log

you should see something like this on the screen..

Quote:

Jul 26 12:16:58 vhost kernel: audit(1153883818.969:328): avc: denied { search } for pid=16948 comm="vsftpd" name="users" dev=hdb1 ino=33390593 scontext=system_u:system_r:ftpd_t:s0 tcontext=user_u:object_r:httpd_sys_content_t:s0 tclass=dir
Was caused by:
Missing or disabled TE allow rule.
Allow rules may exist but be disabled by boolean settings; check boolean settings.
You can see the necessary allow rules by running audit2allow with this audit message as input.

Save that as a file ( audit.log ), inside your home folder.... we will use this file to add a new policy to our current policy and load that into the kernel ( requires the checkpolicy package )... theres no need to reboot, and all the booleans will have their same settings....

we type in...

Quote:

/usr/bin/audit2allow -i /home/troyfa/audit.log -M local

you should see something like this:

Quote:

Generating type enforcment file: local.te
Compiling policy
checkmodule -M -m -o local.mod local.te
semodule_package -o local.pp -m local.mod

******************** IMPORTANT ***********************

In order to load this newly created policy package into the kernel,
you are required to execute

semodule -i local.pp

Now we need to load this into the kernel.. we type in...

Quote:

semodule -i local.pp

Enjoy, and now ftp into your new home directory...

Known issues... at the very base of the home folder make sure everbody is forbidden to read/write but everybody has "Entry" permission... apache needs this...

heres what the permissions should look like:

Quote:

[root@vhost include]# ls -Z /var/users/k/
drwxr-x--x kojik kojik system_u:object_r:user_home_dir_t kojik

warlordQ · #5 26th July 2006, 06:23 PM

When i made my last post i discovered a few things, but ive been at work so i couldnt post an update... and i wanted to double check everything before i made this post... i need to address a few things here, so please bear with me... i will post a "How to do" later on, actually i can do better than that, i can create a GUI ( mouse click ) bash script that does everything for you.. SELinux plus setting up accounts for customers...

When i started this thread, this discussion was about SELinux, and what i described here also needed setting up secrity on other things as well as SELinux...

I will now correct a few minor things from my last post...

when you create your users website folder ( public_html, web, www, etc ) you can pick any of the 3 ( its much easier to use those 3, otherwise youll need to edit the /etc/selinux/targeted/contexts/files/homedir_template )... now to make the folder readable by both ftp and http you need to type this in, instead of what i posted above...

for example the website location is:
/var/users/k/kojik/web/

now to make it accessable by both ftp and http, we do this:

Quote:

chcon -R -t public_content_t /var/users/k/kojik/web/

if you used the httpd_sys_content_t described in my previous post... only apache has access, and this folder will show up as being invisible inside the users FTP client software... the above fixes this problem...

also there is a security issue with vsftpd... you shouldnt chroot local users as this has a security impact on the whole system, other daemons are effected, so a much better way is to do the following...

inside /etc/vsftpd/vsftpd.conf

scroll down to...
#chroot_list_enable=YES

and change it to...
chroot_list_enable=YES

then just below that, uncomment the second line to:

Quote:

chroot_list_file=/etc/vsftpd/chroot_list

if this file dosnt exist yet, create a new file then add the name of your new user to this file.... this file must be present before you restart vsftpd, otherwise vsftpd will fail...

to restart vsftpd, type in:

Quote:

/etc/init.d/vsftpd restart

landoncz · #6 28th July 2006, 06:06 PM

Thanks for the tip!