LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Fedora
User Name
Password
Fedora This forum is for the discussion of the Fedora Project.

Notices

Reply
 
Search this Thread
Old 04-08-2012, 07:15 PM   #1
BenCollver
Rogue Class
 
Registered: Sep 2006
Location: OR, USA
Distribution: Slackware 14.1
Posts: 161

Rep: Reputation: 51
fossil, mongoose, and SELinux


Instructions to confine fossil and mongoose in SELinux.

This configuration serves multiple fossil projects over HTTPS on Fedora 16.

Mongoose is a small web server. Like fossil, it is a single binary.

Create fossil user
Code:
# useradd -m fossil
# chmod a+rx /home/fossil
# passwd fossil
# su - fossil
$ mkdir -p fossils local/{bin,etc,log,src,tmp} public_html
$ touch local/log/{access,error}_log
Install fossil
Code:
$ cd
$ cd local/src
$ curl -O http://www.fossil-scm.org/download/fossil-src-20120317175325.tar.gz
$ tar zxf fossil*.tar.gz
$ cd fossil*5
$ ./configure --prefix=/home/fossil/local
$ make
$ mv fossil ~/local/bin/
Create fossil repository
Code:
$ cd
$ cd fossils
$ ~/local/bin/fossil init project1.fossil | tee ~/project1.txt
Install mongoose

Code:
$ cd
$ cd local/src
$ curl -O http://mongoose.googlecode.com/files/mongoose-3.1.tgz
$ tar zxf mongoose*.tgz
$ cd mongoose
$ make linux
$ mv mongoose ~/local/bin/
Create self-signed SSL certificate

Code:
$ cd
$ cp /etc/ssl/certs/make-dummy-cert ~/local/bin/makecert.sh
* Edit answers section of makecert.sh as desired
$ ~/local/bin/makecert.sh ./local/etc/fossil.pem
Create mongoose configuration

Code:
$ cd
$ cat >./local/etc/mongoose.conf <<__EOF__
access_log_file /home/fossil/local/log/access_log
authentication_domain fossil.domain.tld
document_root /home/fossil/public_html
error_log_file /home/fossil/local/log/error_log
listening_ports 80,443s
run_as_user fossil
ssl_certificate /home/fossil/local/etc/fossil.pem
__EOF__
Create CGI interface

* See http://www.fossil-scm.org/fossil/doc...ww/server.wiki
Code:
$ cd
$ cd public_html
$ cat >fossil.cgi <<'__EOF__'
#!/bin/dash

# mongoose 3.1 does not set environment variables as expected.

# Correct PATH_INFO to be the part of REQUEST_URI after the .cgi script
export PATH_INFO=${REQUEST_URI##*.cgi}

# Correct SCRIPT_NAME to be only the .cgi script
export SCRIPT_NAME=${REQUEST_URI%$PATH_INFO}

# set TMP_DIR and TMPDIR to avoid /tmp
export TMP_DIR=/home/fossil/local/tmp
export TMPDIR=/home/fossil/local/tmp

exec /home/fossil/public_html/fossil.helper $PATH_INFO
__EOF__
$ chmod +x fossil.cgi
$ cat >fossil.helper <<__EOF__
#!/home/fossil/local/bin/fossil
directory: /home/fossil/fossils
notfound: http://127.0.0.1/not-found.html
__EOF__
$ chmod +x fossil.helper
$ cat >index.html <<__EOF__
<html>
<head><title>fossil project</title></head>
<body><a href="/fossil.cgi/project1">project1</a></body>
</html>
__EOF__
$ cat >not-found.html <<__EOF__
<html>
<head><title>not found</title></head>
<body><p>not found</p><a href="/">home</a></body>
</html>
__EOF__
$ exit
Run service when system starts

Code:
# cat >/etc/rc.d/rc.local <<__EOF__
#!/bin/dash
/usr/sbin/daemonize /home/fossil/local/bin/mongoose /home/fossil/local/etc/mongoose.conf
__EOF__
# chmod +x /etc/rc.d/rc.local
Correct security settings

* See http://fedoraproject.org/wiki/SELinux/apache
Code:
# restorecon /etc/rc.d/rc.local
# setsebool -P httpd_enable_cgi 1
# setsebool -P httpd_enable_homedirs 1
# setsebool -P httpd_read_user_content 1
# setsebool -P httpd_unified 1
# restorecon -R /home/fossil/public_html
# chcon system_u:object_r:httpd_exec_t:s0 /home/fossil/local/bin/mongoose
# chcon system_u:object_r:httpd_exec_t:s0 /home/fossil/local/bin/fossil
# chcon -R -t httpd_user_rw_content_t /home/fossil/fossils
# chcon -R -t httpd_user_rw_content_t /home/fossil/local/{log,tmp}
# chcon -t httpd_user_content_t /home/fossil/local/etc/fossil.pem
# chcon -t httpd_user_content_t /home/fossil/local/etc/mongoose.conf
# chcon -t httpd_user_script_exec_t /home/fossil/public_html/*.cgi
# chcon -t httpd_user_script_exec_t /home/fossil/public_html/*.helper
# iptables -I INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
# iptables -I INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
# iptables-save
Start mongoose

Code:
# systemctl start rc-local.service

Test fossil access

* Browse to https://127.0.0.1/fossil.cgi/project1

Last edited by BenCollver; 04-09-2012 at 12:46 AM. Reason: TMPDIR environment variable fix to make sqlite avoid /tmp
 
Old 05-05-2012, 08:47 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,561
Blog Entries: 54

Rep: Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927
Quote:
Originally Posted by BenCollver2 View Post
Instructions to confine fossil and mongoose in SELinux.
Thanks, good documentation. Only things I think are up for improvement are:


Quote:
Originally Posted by BenCollver2 View Post
Run service when system starts
Since it's Fedora 16 shouldn't you be creating a "mongoose.service" systemd script instead of using /etc/rc.d/rc.local? That way you can enable and control service usage better.


Quote:
Originally Posted by BenCollver2 View Post
Correct security settings
Use of chcon should be combined with "semanage fcontext" to make changes stick.


Quote:
Originally Posted by BenCollver2 View Post
Start mongoose
...if you create "mongoose.service" then this should become 'systemctl enable mongoose.service; systemctl start mongoose.service'.


//NTLB
 
Old 05-17-2012, 01:40 AM   #3
BenCollver
Rogue Class
 
Registered: Sep 2006
Location: OR, USA
Distribution: Slackware 14.1
Posts: 161

Original Poster
Rep: Reputation: 51
unSpawn, thanks for the feedback. As suggested, below are rewrites for the last few sections.

-Ben


Run service when system starts
Code:
# udir=$(pkg-config systemd --variable=systemdsystemunitdir)
# cat >$udir/mongoose.service <<__EOF__
[Unit]
Description=Mongoose httpd
After=syslog.target network.target remote-fs.target nss-lookup.target

[Service]
ExecStart=/home/fossil/local/bin/mongoose /home/fossil/local/etc/mongoose.conf
Type=simple

[Install]
WantedBy=multi-user.target
__EOF__
# systemctl enable mongoose.service

Correct security settings

* See http://fedoraproject.org/wiki/SELinux/apache

Code:
# setsebool -P httpd_enable_cgi 1
# setsebool -P httpd_enable_homedirs 1
# setsebool -P httpd_read_user_content 1
# setsebool -P httpd_unified 1
# semanage fcontext -a -t httpd_exec_t /home/fossil/local/bin/fossil
# semanage fcontext -a -t httpd_exec_t /home/fossil/local/bin/mongoose
# semanage fcontext -a -t httpd_user_rw_content_t '/home/fossil/fossils(/.*)?'
# semanage fcontext -a -t httpd_user_rw_content_t '/home/fossil/local/(log|tmp)(/.*)?'
# semanage fcontext -a -t httpd_user_content_t /home/fossil/local/etc/fossil.pem
# semanage fcontext -a -t httpd_user_content_t /home/fossil/local/etc/mongoose.conf
# semanage fcontext -a -t httpd_user_script_exec_t '/home/fossil/public_html/.*\.cgi'
# semanage fcontext -a -t httpd_user_script_exec_t '/home/fossil/public_html/.*\.helper'
# restorecon -R /home/fossil/public_html
# restorecon /home/fossil/local/bin/mongoose
# restorecon /home/fossil/local/bin/fossil
# restorecon -R /home/fossil/fossils
# restorecon -R /home/fossil/local/{log,tmp}
# restorecon /home/fossil/local/etc/fossil.pem
# restorecon /home/fossil/local/etc/mongoose.conf
# iptables -I INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
# iptables -I INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
# iptables-save
Start mongoose
Code:
# systemctl start mongoose.service

Test fossil access

* Browse to https://127.0.0.1/fossil.cgi/project1
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Graphics question frpm a living fossil - any Calcomp emulation libraries available ? buzdavis Linux - Software 0 11-30-2011 08:25 PM
Implementing SeLinux on Debian 5 (Lenny) -- can't install "selinux-basics" bashFUL Linux - Security 3 10-17-2011 02:16 AM
SELinux errors, SELinux and wine ziphem Linux - Security 10 01-27-2011 05:15 PM
Selinux-how do i find out what domains have permissions on what type?(selinux policy) vishyc88 Linux - Security 2 11-22-2010 05:27 AM
"../system.h :selinux/selinux.h:no such file or directory" ashmita04 Linux From Scratch 4 02-05-2009 04:36 AM


All times are GMT -5. The time now is 06:23 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration