LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 08-13-2008, 03:54 AM   #1
rajnishmishra
LQ Newbie
 
Registered: Jul 2004
Location: rishikesh(india)
Distribution: red hat
Posts: 18

Rep: Reputation: 1
httpd access with selinux enforce mode, restriction issues.


hi all,

I am running(test machine) rhel5 with httpd and selinux enabled. I have little idea that httpd require context httpd_sys_content_t on data which need to be served through it.
Now i created one directory /data with some contents with following context:

#ls -ldZ /data
drwxr-xr-x root root rootbject_r:root_t /data

#ls -lZ /data
-rw-r--r-- root root rootbject_r:etc_runtime_t hi
drwxr-xr-x root root rootbject_r:root_t test

i just added one Alias for /data in httpd.conf and <Directory> entry, now i can access contents of data.
*******************************
Now, Doesn't selinux must prevent httpd to access /data due to its different context, pls anybody explain whats happening?

thanks,
rajnish
 
Old 08-14-2008, 06:41 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,543
Blog Entries: 54

Rep: Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924
I could not reproduce your findings. What does running 'sestatus' return? And 'getsebool httpd_disable_trans'? Are there *any* AVC messages wrt http? Anything else we should know about? What happens if you create a file within /var/www/html/ (which should be httpd_sys_content_t) and deliberately chcon it to something ludicrously wrong like device_t? Is it still accessable?
 
Old 08-14-2008, 11:56 PM   #3
rajnishmishra
LQ Newbie
 
Registered: Jul 2004
Location: rishikesh(india)
Distribution: red hat
Posts: 18

Original Poster
Rep: Reputation: 1
thanks unSpawn,

output from sestatus and getsebool:

[root@test2 ~]# getsebool httpd_disable_trans
httpd_disable_trans --> off

[root@test2 ~]# sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 21
Policy from config file: targeted

As you asked, i placed one file in document root and changed its context to device_t on accessing setroubleshoot popped up with AVC messages. On seaching /var/log/audit/audit.log nothing for /data.

thanks for effort and precious time of yours.

rajnish
 
Old 08-19-2008, 04:46 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,543
Blog Entries: 54

Rep: Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924
Soz for the late response (busy) and thanks for the nfo. Unfortunately this doesn't show anything odd, so I'd like more info. Do you have a local policy in effect ('semodule -l' should show modules)? Could you post your httpd.conf w/o the comment lines?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Kernel Panic -- Selinux Strict mode rather than targeted mode Peter_APIIT Fedora 2 07-06-2007 03:23 AM
SElinux causing Apache/httpd problem on Fedora 6 badengineer Linux - Security 1 06-04-2007 11:47 AM
selinux with vsftpd and httpd swpr Linux - Security 4 06-28-2006 06:49 AM
httpd-selinux. Real pleasure. Who can explain this? mazonka Linux - Software 2 11-24-2005 04:26 PM
CVS access restriction pedrosan Linux - Software 0 05-21-2004 03:33 AM


All times are GMT -5. The time now is 04:25 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration