Re: Calling SELinux Expert...

[Karsten Wade <kwade redhat com>]

On Fri, 2005-03-04 at 10:46 +1300, Gavin Young wrote:
> Hey guys, hopefully someone out there can help me with this because I'm
> an SELinux virgin so to speak.

Sorry, many knowledgeable folks were at an SELinux conference last week.

Of course, they may still be unavailable, so I'll try to muddle through
an answer.

> We have a RHEL v4 box running apache amongst other things. No changes
> have been made to the standard Redhat policies. 

What are the HTTPD Booleans set to?

getsebool -a | grep httpd

httpd_enable_cgi needs to be active, if it is not.  That wouldn't
generate the denial you have, so think of this as a "is it plugged in?"
type of question.

> We are wanting to run a perl based web app (Sql-Ledger)
> from /usr/local/sql-ledger but SELinux is stopping us.

This is where someone could correct me for best practices advise.

You want to seriously consider moving the CGI program to the appropriate
directory.  Otherwise, you are trying to give Apache execute access to
something inside of /usr/local/ ...

To do this in /usr/local/, you will need to change policy or
relabel /usr/local/ to make this happen, which will serve to reduce
security on the system.

> With SELinux disabled it works correctly. When SELinux protection of the
> HTTPD daemon is switched on the browser displays: Internal Server Error
> and /var/log/messages reports
> 
> Mar  3 15:13:23 zorb1 kernel: audit(1109816003.103:0): avc:  denied
> { execute } for  pid=24711 exe=/usr/sbin/httpd name=login.pl dev=dm-0
> ino=9228595 scontext=root:system_r:httpd_t tcontext=root:object_r:usr_t
> tclass=file
> 
> >From what I can tell SELinux is stopping scripts being run from any
> other directory apart from /var/www/cgi-bin. I have tried moving the
> sql-ledger directory into cgi-bin but that doesn't appear to help
> because it is still a sub-directory of cgi-bin.

That shouldn't be a problem.  You just need to relabel the directory
recursively.  This should work, and is a good practice since it refers
to the mapping of labels to directories/files as defined by the policy:

restorecon -Rv /var/www/cgi-bin/sql-ledger/

If ls -Z doesn't show that the type is httpd_sys_script_t, do this:

chcon -Rv -t httpd_sys_script_t /var/www/cgi-bin/sql-ledger/

> This problem must have come up before... Any help would be much
> appreciated.

Yeah, almost qualifies for a FAQ.

Future updates to the Red Hat SELinux Guide[1] will likely address
Apache more thoroughly.

- Karsten
[1] http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/selinux-guide/index.html
-- 
Karsten Wade, RHCE * Sr. Tech Writer * http://people.redhat.com/kwade/
gpg fingerprint:  2680 DBFD D968 3141 0115    5F1B D992 0E06 AD0E 0C41   
               IT executives rate Red Hat #1 for value              
                 http://www.redhat.com/promo/vendor/