Fedora Linux Support Community & Resources Center

Go Back   FedoraForum.org > Fedora 19/20 > Security and Privacy
FedoraForum Search

Forgot Password? Join Us!

Security and Privacy Sadly, malware, spyware, hackers and privacy threats abound in today's world. Let's be paranoid and secure our penguins, and slam the doors on privacy exploits.

Reply
 
Thread Tools Search this Thread Display Modes
  #1  
Old 1st October 2005, 04:20 AM
GBH Offline
Registered User
 
Join Date: Oct 2005
Posts: 2
SELinux, vsftpd, home directories and apache

Hi,

I've come here in desperation pretty much.

Senario is pretty simple. I have everything runs perfectly fine without SELinux turned off.

If I turn it on I have the following problem. I know exactly what's causing it and how to bodge the fix but I don't want that (or to turn off SELinux)

My box runs a number of web sites (site1....siten)

The sites have a user associated to them (the users are called site1....siten)

The html files for each site are stored under /home/site1/www..../home/siten/www

The logs for each site are stored under /home/site1/log....../home/siten/log

The home directories and the files are labled with user_home_dir_t and user_home_t respectively

I can use vsftpd to upload/delete/write/read files to those directories with no problems (each user is chroot into their own home directory as they log in)

However, unsupprisingly apache cannot access the www or the log directories under home and instead fails to load because it can't create log files

If I change all the labling in the home directories to httpd_sys_content_t then the httpd starts fine and I can see the website only that then kills the ability to use ftp as the ftpd can't see the newly labled files.

If I turn off SELinux then apache can write to the log dir's, starts and works and my ftpd can see and upload files.

SO there are various answers I've seen around.

1. Stop using SELinux - not what I want to do
2. Stop using SE Linux for one or the other daemon and re-label if needed - again not what I want to do
3. re-complile the policy to allow me to do it - tried for both apache.te and ftpd.te and failed with compile errors or it applying and having no effect

Is there any way that I can get the httpd to see and use directories and files labled as user directories and files? Before you ask, yes I've enabled "Allow httpd to see user home directories" but that, I think, insists files are in public_html directories.

Anyone have any bright ideas?

Many thanks in advance

G
Reply With Quote
  #2  
Old 1st October 2005, 03:18 PM
GBH Offline
Registered User
 
Join Date: Oct 2005
Posts: 2
Joy. Another 3 hours on it and I sorted it.

I eventually found where Fedora 4 was putting the deny logs for SELinux which is /var/log/audit/audit.log and not /var/log/messages as seemingly everywhere I read seems to think they go. I parsed that through audit2allow which threw up these 3 lines

allow httpd_t user_home_dir_t:file append;
allow httpd_t user_home_t:dir { getattr search };
allow httpd_t user_home_t:file { append getattr read };

I added these to the apache.te file and recompiled and lo and behold it works.

Ideally what I should now do is to go back and change the lables on all those files to httpd_sys_content_t and add these lines into the ftpd.te policy

allow ftpd_t httpd_config_t:dir getattr;
allow ftpd_t httpd_sys_content_t:dir { getattr search };
allow ftpd_t httpd_sys_content_t:file getattr;

Or even more correctly I should put all these into a file called local.te in the /etc/selinux/targeted/src/policy/domains/misc/ directory so that I don't have to add these again as and when the policy changes.

For anyone else wondering where that is, you have to install selinux-policy-targeted-sources-1.27.1-2.3.noarch.rpm to get all the compilation stuff as it doesn't (or didn't on mine) do this by default. This has to be the same version as your selinux-policy-targeted rpm (rpm -qa | grep targeted to find out which version you have)

Hope that helps someone else who might be looking to do the same thing.

Thanks

G
Reply With Quote
  #3  
Old 26th October 2005, 01:08 PM
jimbothegrey Offline
Registered User
 
Join Date: Oct 2005
Posts: 5
I disabled SELinux on our web server and installed a commercial solution from applicure instead. (http://www.applicure.com)
I really dislike SELinux, why would they bind it so hard in the system.

Cheers,

Jim.
Reply With Quote
Reply

Tags
apache, directories, home, selinux, vsftpd

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
SELinux is preventing the spamd daemon from reading users' home directories mksmith069 Using Fedora 2 14th September 2009 08:48 PM
Apache & Serving web pages from user's home directories TheOlster Servers & Networking 2 10th May 2006 11:53 AM
Password protect apache home directories paul_mat Servers & Networking 6 22nd March 2006 07:25 AM
openldap apache home directories paul_mat Servers & Networking 0 21st March 2006 01:34 PM


Current GMT-time: 09:59 (Saturday, 20-09-2014)

TopSubscribe to XML RSS for all Threads in all ForumsFedoraForumDotOrg Archive
logo

All trademarks, and forum posts in this site are property of their respective owner(s).
FedoraForum.org is privately owned and is not directly sponsored by the Fedora Project or Red Hat, Inc.

Privacy Policy | Term of Use | Posting Guidelines | Archive | Contact Us | Founding Members

Powered by vBulletin® Copyright ©2000 - 2012, vBulletin Solutions, Inc.

FedoraForum is Powered by RedHat