PDA

View Full Version : SELinux



bundy07
19th June 2008, 01:10 PM
OK, dowloaded the latest Fedora, installed it, then after finally realizing that MySQL, PHP and Apache are imbedded, I proceeded to download and install phpBB3. The install went smoothly, but now I have this SEtroubleshooter throwing some messages at me, and I am not sure what to do.

Here is the most repeated message "SELinux is preventing the httpd from using potentially mislabeled files" and it offers a solution "This means that SELinux will not allow httpd to use these files. Many third party apps install html files in directories that SELinux policy cannot predict. These directories have to be labeled with a file context which httpd can access."

Can I do something to fix this?

Sorry for all the questions

LDC
19th June 2008, 01:27 PM
Selinux is a good tool with one of the worst managament system ever created, the hope is that some hero-coder will write someday a frontend to make it user friendly as it should be.

beatyrm
19th June 2008, 01:29 PM
Took this from a previous post of mine. It's a generic way to set up SE policies to fix individual instances of problems. Hopefully it will help you out.

-Robert



Well, one thing I ended up having to do with cron actually is import my own policy module. This really isn't very hard though.

First bring up the setroubleshoot browser when you get the alert that se had blocked some action. Now pick out the error, probably the first one if it just happened, and go down to the raw audit messages. Copy all of those and paste into a text file in say /tmp/se_audit_messages.

Now the first thing is to create a local module.



audit2allow -M local < /tmp/se_audit_messages


Then you can modify the file if you want or just go ahead and import it.



semodule -i /tmp/local.pp


Save the file you pasted the raw audit messages into for use later. You'll want to just add any new ones on to the end of that file and repeat this process so you don't blow away and previous additions.

-Robert

bundy07
19th June 2008, 04:07 PM
I tried to create the module, but I get the following error:

Python error: <stdin> is a directory, cannot continue

It should be noted that I am not logged in as root (if that makes a difference)

beatyrm
19th June 2008, 04:11 PM
You will most certainly need to be root while trying to import modules. Also, if you end up with any errors post the command you used with it for some extra debug potential.

-Robert

bundy07
19th June 2008, 04:19 PM
[root@thepwnere ~]# audit2allow -M < /tmp/se_audit_messages
Python error: <stdin> is a directory, cannot continue
[root@thepwnerer]#

Now, the se_audit_messages did not exist, so I created it (it is a folder under /tmp) is this not correct?

beatyrm
19th June 2008, 04:26 PM
Nah, take the raw audit message from the setroubleshoot browser and paste them into a text file. My example named text file was se_audit_messages, you are free to use whatever. Then run the audit2allow -M < /tmp/text file name the local policy module will be created in whatever directory you are currently in. Then do the import.

-Robert

bundy07
19th June 2008, 04:34 PM
Ok I renemed my textfile se_audit_messages
and here is what I got

[root@thepwnerer ~]# audit2allow -M < /tmp/se_audit_messages
Usage: audit2allow [options]

audit2allow: error: -M option reuires an argument



Sorry for being a pain

beatyrm
19th June 2008, 04:39 PM
No problem, you'll need to do it as such # audit2allow -M local < /tmp/se_audit_messages

The local in there is the "module name" argument that it is yelling about.

-Robert

bundy07
19th June 2008, 05:51 PM
OK, so that worked.
Now, if I understand you correctly, I can copy and paste other raw data to the end of the textfile, then run the 2 commands again.

Is this correct?

beatyrm
19th June 2008, 06:59 PM
Yeah, you can just drop more of the raw audit messages onto the end of that text file then run the pair of commands to make and import the module. That way you don't have to keep naming them different things or risk losing previous additions.

-Robert

bundy07
20th June 2008, 01:37 PM
OK, I updated the text file and now I have an error.

[root@thepwnere ~]# semodule -i local.pp
libespol.permission_copy_callback: Module local depends on permission unix_read in class file, not satisfied
libesmanage.semanage_link_sandbox: Link packages failed
semodule: Failed!
[roo@thepwnerer ~]#

Update:
I had all the audit messages as one lone string in the text file, once I put a line break between the audit messages it went through fine.

beatyrm
20th June 2008, 02:18 PM
Good deal, hope that helps out your original issue!

-Robert