Fedora Linux Support Community & Resources Center

Go Back   FedoraForum.org > Fedora 19/20 > Security and Privacy
FedoraForum Search

Forgot Password? Join Us!

Security and Privacy Sadly, malware, spyware, hackers and privacy threats abound in today's world. Let's be paranoid and secure our penguins, and slam the doors on privacy exploits.

Reply
 
Thread Tools Search this Thread Display Modes
  #1  
Old 21st December 2008, 10:21 PM
Vector Offline
Banned
 
Join Date: Jul 2006
Location: Transgression
Age: 33
Posts: 1,183
Question New SELinux context for Apache to WRITE to file system?

Hey guys, i noticed after installing F-10 and restoring my web-dev work, that apache was getting a permission denied when trying to write my random number images. After changing the selinux context 100 times, to what i normally use, i caught the hint that it wasn't working. After poking around, i got it to work again, but i had to change a boolean value (fairly common), AND RELABEL the file(s) that were to be written to (not common), from: "httpd_sys_content_t"; to: "public_content_rw_t".

Does anyone know if there is a new boolean option that i might have overlooked, or is this the new required context?

Thanx
Reply With Quote
  #2  
Old 22nd December 2008, 11:00 AM
domg472 Offline
SELinux Contributor
 
Join Date: May 2008
Posts: 623
Which boolean did you set?
Can you show us that avc denial that was initially displayed?
what kind of "script" was writing these random number pages?
Did you read "man httpd_selinux"

If you provide this information then i can attempt to explain to you what has happend.

public_content_rw_t does work but this is not an optimal type to use, as this content type is "public" or "shared" between several "domains". This could cause escalation.

A better type to use may be: httpd_sys_content_rw_t, and sometimes you can even make it more secure by defining an unique type for the content that gets written by your webapp.

public_content is a type that is shared by several domain ( escalation possible)
sys_content is a type that is used by the system (also a certain level of escalation possble)
- If you run several webapps in the system domain then an compromised webapp may escalate to another.
- php webapps are hard to confine. The way they work, they have to be run as httpd_t. (httpd_unified) This means that they are harder to confine then CGI.
- CGI webapps are best to confine.

Are you trying to run a PHP webapp?
__________________
Come join us on #fedora-selinux on irc.freenode.org
http://docs.fedoraproject.org/selinu...ide/f10/en-US/

Last edited by domg472; 22nd December 2008 at 11:10 AM.
Reply With Quote
  #3  
Old 22nd December 2008, 07:29 PM
Vector Offline
Banned
 
Join Date: Jul 2006
Location: Transgression
Age: 33
Posts: 1,183
The script is for a random numbered image, for human interaction verification. An IDENTICAL page can be found on some of my other sites, on my contact pages, here: http://linuxintro.com/?action=Contact and http://myroladex.com/?action=Contact. It is the class that generates that image. It has worked fine with the other httpd context i was using; until now. All it does, is generate the image, nothing more. It was being denied WRITE access to the file (system); so it could not write the image to disk, so that the page could use it via plain html.

The Boolean was "allow_httpd_anon_write". There is another -- similar -- option "allow_httpd_sys_anon_write", but that was only for httpd system scripts; not publicly accessible scripts. I did not get an avc denial message, because i have that disabled, as it uses unnecessary system resources. I did not know that there was a "httpd_selinux" to be manned; but i will check it out, thanx.

Thanx for your time.
Reply With Quote
  #4  
Old 22nd December 2008, 09:39 PM
domg472 Offline
SELinux Contributor
 
Join Date: May 2008
Posts: 623
I would be surprised if httpd_sys_content_t was working for you, as this is a files type for read only httpd system content. The httpd_sys_content_rw_t alternative is for readable and writable httpd system content.

I do not know of the top of my head what the booleans you used allow. An AVC denial ( ausearch -m avc -ts today) would be helpfull.

I think httpd_sys_content_rw_t should be suffice, just not sure. public_content_rw_t is fine also i your system is a dedicated web server (only runs httpd).

I am not aware of any significant changes to the apache policy module during F9 to F10.
__________________
Come join us on #fedora-selinux on irc.freenode.org
http://docs.fedoraproject.org/selinu...ide/f10/en-US/
Reply With Quote
  #5  
Old 22nd December 2008, 10:31 PM
Vector Offline
Banned
 
Join Date: Jul 2006
Location: Transgression
Age: 33
Posts: 1,183
Thanx a bunch. I did:
chcon -Rv -usystem_u -robject_r -thttpd_sys_content_rw_t /var/www/html/Ionisis/includes

And refreshed the page, and it seems to be peachy. But i wonder, why is not an option available in the properties dialog's permissions tab's selinux context's drop-downlist? I suppose that to set the context, the only method is the command line, and you must know the exact context that you need?

Thanx again.

Also:
[^v^] ausearch -m avc -ts today
<no matches>
Reply With Quote
  #6  
Old 22nd December 2008, 10:36 PM
Vector Offline
Banned
 
Join Date: Jul 2006
Location: Transgression
Age: 33
Posts: 1,183
Quote:
Originally Posted by domg472 View Post
- php webapps are hard to confine. The way they work, they have to be run as httpd_t. (httpd_unified) This means that they are harder to confine then CGI.
- CGI webapps are best to confine.

Are you trying to run a PHP webapp?
Yeah, i build/own several websites (LinuxIntro.com MyRoladex.com and soon, Ionisis.com and WretchedPlayground.com) that i develop, usually for myself, and sometimes for freelance; and all use lamp. I develop them on my local machine, and when i'm satisfied with the latest revisions, i ftp them to my live servers, which are hosted by godaddy.
Reply With Quote
  #7  
Old 22nd December 2008, 10:43 PM
Vector Offline
Banned
 
Join Date: Jul 2006
Location: Transgression
Age: 33
Posts: 1,183
Hey, while i've got an selinux guru here, i wonder, can you tell me why the old command that used to work for me:
chcon user_u:object_r:httpd_sys_content_t /var/www/html -Rc

Now has the following syntax:
chcon -Rv -usystem_u -robject_r -thttpd_sys_content_rw_t /var/www/html/

It seems that, instead of one string that contains many definitions, they have changed it so that you must use flags for each definition?

Thanx
Reply With Quote
  #8  
Old 23rd December 2008, 02:40 PM
dgrift Offline
Registered User
 
Join Date: Dec 2008
Posts: 11
Quote:
And refreshed the page, and it seems to be peachy. But i wonder, why is not an option available in the properties dialog's permissions tab's selinux context's drop-downlist? I suppose that to set the context, the only method is the command line, and you must know the exact context that you need?
Well the issue is that users are usually not allowed to change just any context as SELinux is a mandatory access control and is not to the discretion of user as opposed to traditional Linux security.

However in nautilus there is a drop down list with the types that users are allowed to use, like user_home_t and user_tmp_t. This list however does not include the type for user web content: httpd_user_content_t and friends.

So there is some limited support for user sessions but because SELinux is usually managed system (Mandatory for users) wide it is not meant to fully support this.

Quote:
Hey, while i've got an selinux guru here, i wonder, can you tell me why the old command that used to work for me:
chcon user_u:object_r:httpd_sys_content_t /var/www/html -Rc

Now has the following syntax:
chcon -Rv -usystem_u -robject_r -thttpd_sys_content_rw_t /var/www/html/

It seems that, instead of one string that contains many definitions, they have changed it so that you must use flags for each definition?
I am not aware of he old way to do this but i can guess. I assume that the "c" in "-Rc" stands for "context" so that it expects a full context tuple as opposed to the seperate fields in a context tuple (user, role, type).

"-Rv" stands for Recurse and Verbose.

we call a full tuple: user_u:role_r:type_t a security context. This tuple is made up from the seperate fields "user_u", "role_r", "type_t". In the chcon that i know we use the -u, -r, -t to specify these fields in a security context tuple.

refer "man chcon"

Last edited by dgrift; 23rd December 2008 at 02:44 PM.
Reply With Quote
  #9  
Old 23rd December 2008, 07:35 PM
Vector Offline
Banned
 
Join Date: Jul 2006
Location: Transgression
Age: 33
Posts: 1,183
When first trying to learn to switch from Server 2003 to Linux (Fedora), i seen that some of the files that compose my web pages (images, etc) were not displaying. I did a "ls -Z" in the default web directory, and looked at the results for the context of the files that were working properly (the images that my server would not display had the incorrect context, and so i just looked at the context for the images that were able to be displayed on my web pages), and that is how i figured some of this out. I did a "man chcon" or "chcon --help" a long time ago when i first had to figure out how to get this working, and that is where i seen the "-c" flag. At that time, the -c flag for chcon acted like the "-c" flag for chown and chmod --returning output to display which files were changed/altered; the flag meant "Changes" -- or "Show Changed files", which is essentially the same as "verbose". I happened across the old/incorrect command syntax (one single string for the context, as opposed to flags) as a result from a google search.

I believe that i got the correct/proper/new syntax for "verbose" from doing a "chcon --help" or something, after it told me that the -c flag was not recognized; and i believe i got the new syntax for the entire command (flags vs string), after i noticed that the old command wasn't working any more. I think that maybe the command that i was using was a very old implementation of selinux commands, and that they have recently stopped trying to support legacy/depreciated commands.

Thanx for all your help, and for the linx for more info; that will be valuable to me.

Last edited by Vector; 23rd December 2008 at 07:46 PM.
Reply With Quote
Reply

Tags
apache, context, file, selinux, write

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
SELinux Problem--Can't write to a file pushback Security and Privacy 3 4th January 2009 11:50 AM
Allow apache to have write access (SELinux) jwood381 Security and Privacy 3 4th June 2005 03:38 AM


Current GMT-time: 14:50 (Monday, 21-04-2014)

TopSubscribe to XML RSS for all Threads in all ForumsFedoraForumDotOrg Archive
logo

All trademarks, and forum posts in this site are property of their respective owner(s).
FedoraForum.org is privately owned and is not directly sponsored by the Fedora Project or Red Hat, Inc.

Privacy Policy | Term of Use | Posting Guidelines | Archive | Contact Us | Founding Members

Powered by vBulletin® Copyright ©2000 - 2012, vBulletin Solutions, Inc.

FedoraForum is Powered by RedHat