Bonehead basic selinux questions

Jason L Tibbitts III tibbs at math.uh.edu
Fri Feb 3 21:36:56 UTC 2006 

OK, I've done a lot of reading and I've even done some policy
hacking.  But there are some fundamental things about selinux I just
don't understand yet.

So I do a fresh FC4 install, log in, mkdir /local and make and mount a
couple of filesystems under it: /svn and /trac.

I do chcon -R --reference=/var/www /local/svn

and httpd can see stuff under /local/svn without issue.

So I wonder if that change is permanent or if I'll get boned if the
system gets relabeled:

> s restorecon -n -R -v /local
/sbin/restorecon reset /local context root:object_r:root_t->system_u:object_r:default_t
/sbin/restorecon reset /local/trac context system_u:object_r:file_t->system_u:object_r:default_t
/sbin/restorecon reset /local/trac/lost+found context system_u:object_r:file_t->system_u:object_r:default_t

Looks OK; the context on /local/svn isn't going to change.  So I go
ahead and drop the '-n' so I'm not surprised later, which had the
effect of surprising me immediately.  Now httpd can't look in
/local/svn (because it can't see under /local?):

> s ausearch -i -ui apache
[...blah...]
type=PATH msg=audit(02/03/06 15:22:17.034:320) : item=0 name=/local flags=none inode=65545 dev=fd:00 mode=dir,755 ouid=root ogid=root rdev=00:00
type=CWD msg=audit(02/03/06 15:22:17.034:320) :  cwd=/
type=AVC_PATH msg=audit(02/03/06 15:22:17.034:320) :  path=/local
type=SYSCALL msg=audit(02/03/06 15:22:17.034:320) : arch=i386 syscall=lstat64 success=no exit=-13(Permission denied) a0=8db7f40 a1=bfbeb7bc a2=dc6ff4 a3=bfbeb7bc items=1 pid=8587 auid=tibbs uid=apache gid=apache euid=apache suid=apache fsuid=apache egid=apache sgid=apache fsgid=apache comm=httpd exe=/usr/sbin/httpd
type=AVC msg=audit(02/03/06 15:22:17.034:320) : avc:  denied  { getattr } for  pid=8587 comm=httpd name=local dev=dm-0 ino=65545 scontext=root:system_r:httpd_t tcontext=system_u:object_r:default_t tclass=dir

So changing the context from root:object_r:root_t to
system_u:object_r:default_t locks httpd out?

I have not changed the policy booleans from their default values:

allow_httpd_anon_write            inactive
allow_httpd_sys_script_anon_write inactive
httpd_builtin_scripting           active
httpd_can_network_connect         inactive
httpd_disable_trans               inactive
httpd_enable_cgi                  active
httpd_enable_ftp_server           inactive
httpd_enable_homedirs             active
httpd_ssi_exec                    active
httpd_suexec_disable_trans        inactive
httpd_tty_comm                    inactive
httpd_unified                     active

I don't think it would be proper to chcon /local to the same context
as /local/svn, because I will certainly mount non-httpd-visible things
under /local.  So what is the proper way to fix this?

Any enlightenment would be very much appreciated,

 - J<

More information about the fedora-selinux-list mailing list