LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Fedora
User Name
Password
Fedora This forum is for the discussion of the Fedora Project.

Notices

Reply
 
Search this Thread
Old 07-07-2012, 10:21 PM   #1
bednarjm
Member
 
Registered: Jul 2005
Location: Franklin, PA
Distribution: Fedora 19
Posts: 65

Rep: Reputation: 18
SELinux is preventing /usr/sbin/httpd from read access on the file newyorkdog.png


I'm trying to start small webpage just for fun.

Fedora 17 64bit

[root@coolermaster laresa]# ls -al
total 1640
drwxr-xr-x. 2 root root 4096 Jul 7 22:52 .
drwxr-xr-x. 4 root root 4096 Jul 7 21:35 ..
-rwxr-xr-x. 1 root root 220 Jun 19 10:28 laresa.html
-rwxr-xr-x. 1 jaison jaison 995005 Jul 7 22:28 newyorkdog.png
-rwxr-xr-x. 1 jaison jaison 668494 Jun 18 23:17 us.png

Why is it that i can serve up us.png just fine, but newyorkdog.png trips an selinux alert and a 403 Forbidden? They both have the same file permissions.

Any ideas?
 
Old 07-07-2012, 11:25 PM   #2
SharpyWarpy
Member
 
Registered: Feb 2003
Location: Florida
Distribution: Fedora 18
Posts: 862

Rep: Reputation: 90
You could disable SELinux like I always do.
 
Old 07-08-2012, 05:35 PM   #3
falcom
Member
 
Registered: May 2009
Posts: 102

Rep: Reputation: 13
You could disable SELinux
Quote:
vim /etc/selinux/config
after

Quote:
SELINUX=disabled
after restart...
 
Old 07-08-2012, 06:38 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,134
Blog Entries: 54

Rep: Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791
Disabling SELinux without even trying to troubleshoot the issue is like sticking your head in the sand.
Probably wrong context ('ls -alZ') or missing boolean for non-/var/www location.
Either Setroubleshootd, /var/log/messages or /var/log/audit/audit.log should indicate.
 
Old 07-08-2012, 08:05 PM   #5
SharpyWarpy
Member
 
Registered: Feb 2003
Location: Florida
Distribution: Fedora 18
Posts: 862

Rep: Reputation: 90
Quote:
Originally Posted by unSpawn View Post
Disabling SELinux without even trying to troubleshoot the issue is like sticking your head in the sand.
Probably wrong context ('ls -alZ') or missing boolean for non-/var/www location.
Either Setroubleshootd, /var/log/messages or /var/log/audit/audit.log should indicate.
Like sticking your head in the sand? Come on man, not all of us are as proficient as you with the kind of solution you present here. Nor do we all have the time it takes to learn. I'm pretty sure there are quite a few users not talking about it who disable SElinux. It's just not necessary for most users. It became a headache very quickly several years ago to me, almost constantly troubleshooting something to do with SElinux. The man just wants to build a simple web page. I'm offering him a simple way around the problem he's having without leaving him open to security risks. I say let's keep the fun in Linux. SElinux has been a pain and a joke since it's inception, just like Pulseaudio. Yes, I disable that too, every time I upgrade.
 
Old 07-09-2012, 10:38 AM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,134
Blog Entries: 54

Rep: Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791
Quote:
Originally Posted by SharpyWarpy View Post
I'm offering him a simple way around the problem he's having without leaving him open to security risks. (..) It's just not necessary for most users. (..) It became a headache very quickly several years ago to me, almost constantly troubleshooting something to do with SElinux. (..) SElinux has been a pain and a joke since it's inception, (..)
It's clear old open sores and misconception formed your opinion and made you post your so-called "advice". By suggesting the OP to disable it, you've forgotten four things:
- Fedora is a community project. Everyone can help out. Should help out. Reporting changes helps make the product better. Disabling SELinux does not.
- Security: like Fedora SELinux is a work in progress. Disabling SELinux may be helpful now in terms of shallow and instant gratification but it is not a long-term solution. Disabling SELinux is not even necessary when a workaround is possible. While there are other means to secure slash harden a machine, SELinux offers a substantial and "combat-proven" increase. Disabling SELinux lowers the security posture of the whole machine and here seems disproportional for "fixing" just one measly problem.
- (mis)Information: when SELinux was in its infancy there were Real Life reasons to disable it. Unfortunately the reflex still exists and is often advertised without careful thought. Since there is no comparable alternative (GRSecurity-enabled kernel or another MAC or moving to another OS) that's usable, maintained and supported we should advertise instead it's OK to run it because much has improved since more recent Fedora releases, it's maintained and supported and help can be had for the asking. The Fedora web site provides tons of easily readable documentation to start troubleshooting and fixing the problem.

Suggesting to turn off SELinux completely is not helping Fedora, the LQ Community, SELinux and the OP. IMHO.
 
Old 07-09-2012, 10:50 AM   #7
SharpyWarpy
Member
 
Registered: Feb 2003
Location: Florida
Distribution: Fedora 18
Posts: 862

Rep: Reputation: 90
@ unspawn: I figured I'd get that kind of response from you. In fact I was counting on it. Bye.
 
Old 07-09-2012, 04:13 PM   #8
John VV
Guru
 
Registered: Aug 2005
Posts: 12,833

Rep: Reputation: 1709Reputation: 1709Reputation: 1709Reputation: 1709Reputation: 1709Reputation: 1709Reputation: 1709Reputation: 1709Reputation: 1709Reputation: 1709Reputation: 1709
Quote:
You could disable SELinux like I always do.
NOT just unspawn!!!

you should NEVER disable it
except for the normal testing to see IF you NEED to create a new SE rule
and to see IF it is SE and not a miss configuring of something else

on fedora you have" SELinuxTroubleShooter" install ed BY DEFAULT
a little yellow/gold star will show up informing you there IS an error

read the error !
trouble shooter will post THE FIX in that error
and 99 % of the time it works

for that 1 % you need to wright a new SE rule ,using "audit2allow"

SELinux is VERY VERY easy to use these days
a bit old but...
http://fedoraproject.org/wiki/SELinux
and PLEASE FALLOW the guides for troubleshooting
http://fedoraproject.org/wiki/SELinux/Troubleshooting
http://rackerhacker.com/2012/01/25/g...-with-selinux/


turning it off is like

having ADT home security installed in your house
BUT because you can NOT be bothered using the key pad to type in a password and turn it on or off

you KEEP it OFF and REALLY ONLY on the sticker on the door

Last edited by John VV; 07-09-2012 at 04:16 PM.
 
Old 07-09-2012, 07:09 PM   #9
stoggy
Member
 
Registered: Jun 2008
Location: Dallas, TX
Distribution: Slackware and FC
Posts: 107

Rep: Reputation: 20
yea selinux is good. plus its easy.

# this will show you the selinux permissions.
ls -lZ /path/to/files
# ... just an example ...
drwx------ user group user_ubject_r:user_home_t bin
-rw-rw-r-- user group user_ubject_r:user_home_t some.tar


Then you can find the logs about why something is failing in /var/log/audit/audit.log. So cause the failure and do, this will show you why its failing. Read them they are pretty self explanatory.
sudo tail /var/log/audit/audit.log
#... just an example ... Here the problem was the context was unconfined_t, i needed to relabel the file.
type=USER_CMD msg=audit(13391111118.101:30000): user pid=795 uid=0 auid=500 subj=user_u:system_r:unconfined_t:s0 msg='cwd="/path/to/file" cmd=7888999463336562121E20266671711 (terminal=pts/0 res=failed)'

# Then run this. It may tell you to relabel your files. something like restorecon /path/to/file, in which case just do that. but if it shows a module type output, see John VV's links for more info,
# you will need to make a new module to fix it.
sudo tail /var/log/audit/audit.log | audit2allow

###
### My guess is you need to do restorecon on your newyorkdog.png file.
###

# then to fix it you can do.
sudo tail /var/log/audit/audit.log | audit2allow -M test
sudo semodule -i test.pp

# this should solve your problem. If you find you need to add stuff to test.pp, then you can change the audit2allow command like this.
sudo tail /var/log/audit/audit.log | audit2allow -o test
sudo semodule -i test.pp

this will add "more" to the test.pp module. So you can try it and if you get another failure for a different file or something.
 
Old 07-09-2012, 09:18 PM   #10
SharpyWarpy
Member
 
Registered: Feb 2003
Location: Florida
Distribution: Fedora 18
Posts: 862

Rep: Reputation: 90
Well I just had a quick scan of http://fedoraproject.org/wiki/SELinux and frankly I'm lost. I'm not a programmer, don't know any programing languages unless you count HTML with a little CSS thrown in. I don't run any servers. It looks to me like the proponents of SElinux are saying if you don't use it you shouldn't use Linux. Which is odd because I've been using Linux very sucessfully now since 2002. I keep a firewall up and I know enough about it to serve my needs. So, is SElinux mainly for people running HTTP and/or FTP servers? I can't really tell from the provided links.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
what do selinux can't apply partial context to unlabeled file /usr/local/nagios/sbin/ parthipan Linux - Server 1 06-07-2012 01:36 PM
what do selinux can't apply partial context to unlabeled file /usr/local/nagios/sbin/ parthipan Linux - Server 3 06-07-2012 07:15 AM
/usr/sbin/httpd: symbol lookup error: /usr/sbin/httpd: undefined symbol: apr_atomic_x dasoberdick Slackware 14 12-18-2010 04:32 AM
SELinux is preventing /usr/bin/kdm "write" access on /root mickeyboa Fedora 8 11-05-2010 11:29 PM
Starting httpd: /usr/sbin/httpd: symbol lookup error: /usr/local/lib/libaprutil-0.so. bijuhpd Linux - Newbie 1 10-30-2005 05:07 PM


All times are GMT -5. The time now is 10:30 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration