terek

[Log in to get rid of this advertisement]

Hello,

I have been doing searches and researching this problem for two days now and have not been able to come up with any solution other than turning off SELinux with
The error I am getting when I try to log onto my squirrelmail page is the following:
I have made sure the directory is owned by apache and apache has read/write access to the directory

someuser was a user I logged on as with setenforce 0, and it created his preference file then. However it cannot access even his preference file when I log on as him when I have SELinux turned back on.

I am running FedoraCore 5.

Is there any way I can give httpd access to that directory for user preferences and default preferences without turning off SELinux.

Thank you for your time
Terek

billymayday

Don't know if this helps, but here's the setup on CentOS - and this is running SELinux

Edit - the smiley faces are colon followed by the letter o

unSpawn

IMHO the most generic approach would be to look for SELinux warnings in syslog and audit.log, run them through audit2allow and add to your local policy.

billymayday

As I recall, I had to set httpd_can_network_connect for SM to work with SELinux.

Try setsebool -P httpd_can_network_connect 1

terek

I have already done this. It was neccesary to allow squirrel mail to log into my imap server. But thank you for the suggestion.


UnSpawn thank you for this. I am looking it up in audit.log now and see the message. I will research how to use audit2allow.

I couldn't find a log called syslog in my /var/log

If I can't figure out how to use audit2allow I will post again.

Thanks,
terek

terek

Ok I took a small section of my audit.log that contains only the single attempt from accessing my imap server to attempting to read the file and to prevent me from getting any additional suggestions that would create a security hole. Here is the suggestion it came up with.

is there any way I can limit this rule to a specific location such as /var/local/squirrelmail/data
?

Do you know where there are any good howTo's for fedora core 5's semanage? Looks like with fedora that is how I will have to add this rule to SELinux.

unSpawn

As far as I understand SELinux your HTTP daemon runs in its own httpd module. It has rules to read config files (httpd_config_t), logs (httpd_log_t) and docroot (httpd_sys_content_t). It isn't expected to read files outside the docroot, so that's the boundary. Unfortunately a lot of /var contents are generically tagged "var_t" so indeed that makes it *could* read other files. Fortunately SELinux operates *on top of* the discretionary access rights, so if a directory has access rights for user and group root with octal mode 0750 it couldn't read those contents being user www even if it had SELinux allow it. Similary if a directory has access rights for user root and group www with octal mode 0710 it could only access files if it knows the name already for.


The Fedora site has 'em all. If you have semodule see if "audit2allow -M /root/localpolicy < /var/log/audit/audit.log", review localpolicy.te, then "semodule -i /root/localpolicy.pp" works. Else you'll need to install the policy source files and do something like "cat /var/log/messages | audit2allow > /etc/selinux/$POLICYTYPE/src/policy/domains/misc/localpolicy.te" and "make -C /etc/selinux/$POLICYTYPE/src/policy load".

* BTW FC5 is *deprecated*, no longer maintained. If you want to stay with Fedora you *must* plan installing the current release. I've done upgrading from F6 > F7 > F8 w/o probs, but YMMV.

terek

Thank you everyone for your help I have gotten it working and am going to take a break.

After much more research I found out I was wrong about having to use semanage.

I found this on fedoraproject.org
[HTML]http://docs.fedoraproject.org/selinux-faq-fc5/#faq-entry-local.te[/HTML]
There is a spot for
That is the section that helped me the most. Note I had to make sure I had the FC5's distribution of checkpolicy.rpm and got that from the install cd I had. When I tried to use the most current checkpolicy.rpm it would make a policy .mod file with version 6 and the semodule I was using would only take 4-5.

So here is my policy file that I made. Note I was selective on what was grabbed by looking at every denied message in audit.log and only pulling out the ones related to httpd and made sure they really were trying to do what I was expecting to do (like it would tell me what file it was trying to read/create/write etc).

Here are the instructions I used for anyone else who might have this problem with Fedora Core (note I don't think this method works with most distributions because I found a lot of examples where you would have to recompile SELinux with the new policies. Fedora said they made it so you could create policy modules that you could load manually. Also Fedora in that link I listed earlier said that if you load a policy module when another module already exists with the same name then it overwrites that policy. So be careful not to name it by a policy of the same name.

Thanks again for all your help. I don't think I would have known to look up audit2allow if it weren't for your suggestion. Also thank you for pointing out that SELinux operates on top of the discretionary access rights, it is good to know.
terek

billymayday

I think you'll find that the policies are fixed in later releases of Fedora - FC5 has been off maintainance for a while now

unSpawn

Well done getting it to work Terek. And thanks for the elaborate response. This'll sure help others.