SELinux, vsftpd, home directories and apache

GBH · #1 1st October 2005, 04:20 AM

Hi,

I've come here in desperation pretty much.

Senario is pretty simple. I have everything runs perfectly fine without SELinux turned off.

If I turn it on I have the following problem. I know exactly what's causing it and how to bodge the fix but I don't want that (or to turn off SELinux)

My box runs a number of web sites (site1....siten)

The sites have a user associated to them (the users are called site1....siten)

The html files for each site are stored under /home/site1/www..../home/siten/www

The logs for each site are stored under /home/site1/log....../home/siten/log

The home directories and the files are labled with user_home_dir_t and user_home_t respectively

I can use vsftpd to upload/delete/write/read files to those directories with no problems (each user is chroot into their own home directory as they log in)

However, unsupprisingly apache cannot access the www or the log directories under home and instead fails to load because it can't create log files

If I change all the labling in the home directories to httpd_sys_content_t then the httpd starts fine and I can see the website only that then kills the ability to use ftp as the ftpd can't see the newly labled files.

If I turn off SELinux then apache can write to the log dir's, starts and works and my ftpd can see and upload files.

SO there are various answers I've seen around.

1. Stop using SELinux - not what I want to do
2. Stop using SE Linux for one or the other daemon and re-label if needed - again not what I want to do
3. re-complile the policy to allow me to do it - tried for both apache.te and ftpd.te and failed with compile errors or it applying and having no effect

Is there any way that I can get the httpd to see and use directories and files labled as user directories and files? Before you ask, yes I've enabled "Allow httpd to see user home directories" but that, I think, insists files are in public_html directories.

Anyone have any bright ideas?

Many thanks in advance

G

GBH · #2 1st October 2005, 03:18 PM

Joy. Another 3 hours on it and I sorted it.

I eventually found where Fedora 4 was putting the deny logs for SELinux which is /var/log/audit/audit.log and not /var/log/messages as seemingly everywhere I read seems to think they go. I parsed that through audit2allow which threw up these 3 lines

allow httpd_t user_home_dir_t:file append;
allow httpd_t user_home_t:dir { getattr search };
allow httpd_t user_home_t:file { append getattr read };

I added these to the apache.te file and recompiled and lo and behold it works.

Ideally what I should now do is to go back and change the lables on all those files to httpd_sys_content_t and add these lines into the ftpd.te policy

allow ftpd_t httpd_config_t:dir getattr;
allow ftpd_t httpd_sys_content_t:dir { getattr search };
allow ftpd_t httpd_sys_content_t:file getattr;

Or even more correctly I should put all these into a file called local.te in the /etc/selinux/targeted/src/policy/domains/misc/ directory so that I don't have to add these again as and when the policy changes.

For anyone else wondering where that is, you have to install selinux-policy-targeted-sources-1.27.1-2.3.noarch.rpm to get all the compilation stuff as it doesn't (or didn't on mine) do this by default. This has to be the same version as your selinux-policy-targeted rpm (rpm -qa | grep targeted to find out which version you have)

Hope that helps someone else who might be looking to do the same thing.

Thanks

G

jimbothegrey · #3 26th October 2005, 01:08 PM

I disabled SELinux on our web server and installed a commercial solution from applicure instead. (http://www.applicure.com)
I really dislike SELinux, why would they bind it so hard in the system.

Cheers,

Jim.