-
21st December 2008, 11:21 PM
#1
New SELinux context for Apache to WRITE to file system?
Hey guys, i noticed after installing F-10 and restoring my web-dev work, that apache was getting a permission denied when trying to write my random number images. After changing the selinux context 100 times, to what i normally use, i caught the hint that it wasn't working. After poking around, i got it to work again, but i had to change a boolean value (fairly common), AND RELABEL the file(s) that were to be written to (not common), from: "httpd_sys_content_t"; to: "public_content_rw_t".
Does anyone know if there is a new boolean option that i might have overlooked, or is this the new required context?
Thanx
-
22nd December 2008, 12:00 PM
#2
Which boolean did you set?
Can you show us that avc denial that was initially displayed?
what kind of "script" was writing these random number pages?
Did you read "man httpd_selinux"
If you provide this information then i can attempt to explain to you what has happend.
public_content_rw_t does work but this is not an optimal type to use, as this content type is "public" or "shared" between several "domains". This could cause escalation.
A better type to use may be: httpd_sys_content_rw_t, and sometimes you can even make it more secure by defining an unique type for the content that gets written by your webapp.
public_content is a type that is shared by several domain ( escalation possible)
sys_content is a type that is used by the system (also a certain level of escalation possble)
- If you run several webapps in the system domain then an compromised webapp may escalate to another.
- php webapps are hard to confine. The way they work, they have to be run as httpd_t. (httpd_unified) This means that they are harder to confine then CGI.
- CGI webapps are best to confine.
Are you trying to run a PHP webapp?
Last edited by domg472; 22nd December 2008 at 12:10 PM.
-
22nd December 2008, 08:29 PM
#3
The script is for a random numbered image, for human interaction verification. An IDENTICAL page can be found on some of my other sites, on my contact pages, here: http://linuxintro.com/?action=Contact and http://myroladex.com/?action=Contact. It is the class that generates that image. It has worked fine with the other httpd context i was using; until now. All it does, is generate the image, nothing more. It was being denied WRITE access to the file (system); so it could not write the image to disk, so that the page could use it via plain html.
The Boolean was "allow_httpd_anon_write". There is another -- similar -- option "allow_httpd_sys_anon_write", but that was only for httpd system scripts; not publicly accessible scripts. I did not get an avc denial message, because i have that disabled, as it uses unnecessary system resources. I did not know that there was a "httpd_selinux" to be manned; but i will check it out, thanx.
Thanx for your time.
-
22nd December 2008, 10:39 PM
#4
I would be surprised if httpd_sys_content_t was working for you, as this is a files type for read only httpd system content. The httpd_sys_content_rw_t alternative is for readable and writable httpd system content.
I do not know of the top of my head what the booleans you used allow. An AVC denial ( ausearch -m avc -ts today) would be helpfull.
I think httpd_sys_content_rw_t should be suffice, just not sure. public_content_rw_t is fine also i your system is a dedicated web server (only runs httpd).
I am not aware of any significant changes to the apache policy module during F9 to F10.
-
22nd December 2008, 11:31 PM
#5
Thanx a bunch. I did:
chcon -Rv -usystem_u -robject_r -thttpd_sys_content_rw_t /var/www/html/Ionisis/includes
And refreshed the page, and it seems to be peachy. But i wonder, why is not an option available in the properties dialog's permissions tab's selinux context's drop-downlist? I suppose that to set the context, the only method is the command line, and you must know the exact context that you need?
Thanx again.
Also:
[^v^] ausearch -m avc -ts today
<no matches>
-
22nd December 2008, 11:36 PM
#6
Originally Posted by
domg472
- php webapps are hard to confine. The way they work, they have to be run as httpd_t. (httpd_unified) This means that they are harder to confine then CGI.
- CGI webapps are best to confine.
Are you trying to run a PHP webapp?
Yeah, i build/own several websites (LinuxIntro.com MyRoladex.com and soon, Ionisis.com and WretchedPlayground.com) that i develop, usually for myself, and sometimes for freelance; and all use lamp. I develop them on my local machine, and when i'm satisfied with the latest revisions, i ftp them to my live servers, which are hosted by godaddy.
-
22nd December 2008, 11:43 PM
#7
Hey, while i've got an selinux guru here, i wonder, can you tell me why the old command that used to work for me:
chcon user_u:object_r:httpd_sys_content_t /var/www/html -Rc
Now has the following syntax:
chcon -Rv -usystem_u -robject_r -thttpd_sys_content_rw_t /var/www/html/
It seems that, instead of one string that contains many definitions, they have changed it so that you must use flags for each definition?
Thanx
-
23rd December 2008, 03:40 PM
#8
And refreshed the page, and it seems to be peachy. But i wonder, why is not an option available in the properties dialog's permissions tab's selinux context's drop-downlist? I suppose that to set the context, the only method is the command line, and you must know the exact context that you need?
Well the issue is that users are usually not allowed to change just any context as SELinux is a mandatory access control and is not to the discretion of user as opposed to traditional Linux security.
However in nautilus there is a drop down list with the types that users are allowed to use, like user_home_t and user_tmp_t. This list however does not include the type for user web content: httpd_user_content_t and friends.
So there is some limited support for user sessions but because SELinux is usually managed system (Mandatory for users) wide it is not meant to fully support this.
Hey, while i've got an selinux guru here, i wonder, can you tell me why the old command that used to work for me:
chcon user_u:object_r:httpd_sys_content_t /var/www/html -Rc
Now has the following syntax:
chcon -Rv -usystem_u -robject_r -thttpd_sys_content_rw_t /var/www/html/
It seems that, instead of one string that contains many definitions, they have changed it so that you must use flags for each definition?
I am not aware of he old way to do this but i can guess. I assume that the "c" in "-Rc" stands for "context" so that it expects a full context tuple as opposed to the seperate fields in a context tuple (user, role, type).
"-Rv" stands for Recurse and Verbose.
we call a full tuple: user_u:role_r:type_t a security context. This tuple is made up from the seperate fields "user_u", "role_r", "type_t". In the chcon that i know we use the -u, -r, -t to specify these fields in a security context tuple.
refer "man chcon"
Last edited by dgrift; 23rd December 2008 at 03:44 PM.
-
23rd December 2008, 08:35 PM
#9
When first trying to learn to switch from Server 2003 to Linux (Fedora), i seen that some of the files that compose my web pages (images, etc) were not displaying. I did a "ls -Z" in the default web directory, and looked at the results for the context of the files that were working properly (the images that my server would not display had the incorrect context, and so i just looked at the context for the images that were able to be displayed on my web pages), and that is how i figured some of this out. I did a "man chcon" or "chcon --help" a long time ago when i first had to figure out how to get this working, and that is where i seen the "-c" flag. At that time, the -c flag for chcon acted like the "-c" flag for chown and chmod --returning output to display which files were changed/altered; the flag meant "Changes" -- or "Show Changed files", which is essentially the same as "verbose". I happened across the old/incorrect command syntax (one single string for the context, as opposed to flags) as a result from a google search.
I believe that i got the correct/proper/new syntax for "verbose" from doing a "chcon --help" or something, after it told me that the -c flag was not recognized; and i believe i got the new syntax for the entire command (flags vs string), after i noticed that the old command wasn't working any more. I think that maybe the command that i was using was a very old implementation of selinux commands, and that they have recently stopped trying to support legacy/depreciated commands.
Thanx for all your help, and for the linx for more info; that will be valuable to me.
Last edited by Vector; 23rd December 2008 at 08:46 PM.
Similar Threads
-
By pushback in forum Security and Privacy
Replies: 3
Last Post: 4th January 2009, 12:50 PM
-
By jwood381 in forum Security and Privacy
Replies: 3
Last Post: 4th June 2005, 03:38 AM
Tags for this Thread
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
[[template footer(Guest)]]