Bonehead basic selinux questions
Jason L Tibbitts III
tibbs at math.uh.edu
Fri Feb 3 21:36:56 UTC 2006
OK, I've done a lot of reading and I've even done some policy
hacking. But there are some fundamental things about selinux I just
don't understand yet.
So I do a fresh FC4 install, log in, mkdir /local and make and mount a
couple of filesystems under it: /svn and /trac.
I do chcon -R --reference=/var/www /local/svn
and httpd can see stuff under /local/svn without issue.
So I wonder if that change is permanent or if I'll get boned if the
system gets relabeled:
> s restorecon -n -R -v /local
/sbin/restorecon reset /local context root:object_r:root_t->system_u:object_r:default_t
/sbin/restorecon reset /local/trac context system_u:object_r:file_t->system_u:object_r:default_t
/sbin/restorecon reset /local/trac/lost+found context system_u:object_r:file_t->system_u:object_r:default_t
Looks OK; the context on /local/svn isn't going to change. So I go
ahead and drop the '-n' so I'm not surprised later, which had the
effect of surprising me immediately. Now httpd can't look in
/local/svn (because it can't see under /local?):
> s ausearch -i -ui apache
[...blah...]
type=PATH msg=audit(02/03/06 15:22:17.034:320) : item=0 name=/local flags=none inode=65545 dev=fd:00 mode=dir,755 ouid=root ogid=root rdev=00:00
type=CWD msg=audit(02/03/06 15:22:17.034:320) : cwd=/
type=AVC_PATH msg=audit(02/03/06 15:22:17.034:320) : path=/local
type=SYSCALL msg=audit(02/03/06 15:22:17.034:320) : arch=i386 syscall=lstat64 success=no exit=-13(Permission denied) a0=8db7f40 a1=bfbeb7bc a2=dc6ff4 a3=bfbeb7bc items=1 pid=8587 auid=tibbs uid=apache gid=apache euid=apache suid=apache fsuid=apache egid=apache sgid=apache fsgid=apache comm=httpd exe=/usr/sbin/httpd
type=AVC msg=audit(02/03/06 15:22:17.034:320) : avc: denied { getattr } for pid=8587 comm=httpd name=local dev=dm-0 ino=65545 scontext=root:system_r:httpd_t tcontext=system_u:object_r:default_t tclass=dir
So changing the context from root:object_r:root_t to
system_u:object_r:default_t locks httpd out?
I have not changed the policy booleans from their default values:
allow_httpd_anon_write inactive
allow_httpd_sys_script_anon_write inactive
httpd_builtin_scripting active
httpd_can_network_connect inactive
httpd_disable_trans inactive
httpd_enable_cgi active
httpd_enable_ftp_server inactive
httpd_enable_homedirs active
httpd_ssi_exec active
httpd_suexec_disable_trans inactive
httpd_tty_comm inactive
httpd_unified active
I don't think it would be proper to chcon /local to the same context
as /local/svn, because I will certainly mount non-httpd-visible things
under /local. So what is the proper way to fix this?
Any enlightenment would be very much appreciated,
- J<
More information about the fedora-selinux-list
mailing list