LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Software (http://www.linuxquestions.org/questions/linux-software-2/)
-   -   Problem with SELinux on Fedora 9 (http://www.linuxquestions.org/questions/linux-software-2/problem-with-selinux-on-fedora-9-a-671369/)

nbcohen 09-21-2008 09:09 AM

Problem with SELinux on Fedora 9
 
I'm attempting to install a CMS on my Fedora 9 system. I thought I had installed the OS with SELinux in 'warning' mode - when I try to install the CMS, I get this error:

SELinux prevented httpd reading and writing access to http files. Ordinarily httpd is allowed full access to all files labeled with http file context. This machine has a tightened security policy with the httpd_unified turned off, this requires explicit labeling of all files. If a file is a cgi script it needs to be labeled with httpd_TYPE_script_exec_t in order to be executed. If it is read-only content, it needs to be labeled httpd_TYPE_content_t, it is writable content. it needs to be labeled httpd_TYPE_script_rw_t or httpd_TYPE_script_ra_t. You can use the chcon command to change these contexts. Please refer to the man page "man httpd_selinux" or FAQ "TYPE" refers to one of "sys", "user" or "staff" or potentially other script types.

The suggested fix is:

Fix Command: setsebool -P httpd_unified=1

I can run setsebool on the command line and it doesn't seem to complain. But then re-running my CMS install brings up the same error.

Question - is there an easy way to bypass this? Is there an easy way to just disable SELinux? (Secondary question - is disabling SELinux a bad thing to do??)

Thanks,

nbc

unSpawn 09-21-2008 10:09 AM

Quote:

Originally Posted by nbcohen (Post 3287228)
I can run setsebool on the command line and it doesn't seem to complain. But then re-running my CMS install brings up the same error.

While I am not familiar with the F9 SE Linux policy and don't know the "this machine has a tightened security policy" part, the text points to running 'chcon' on the files the webserver should access. For that you need to know which files need to be accessed and in what way. Checking your syslog and access_log may hold more clues. Checking (error_)logs is good anyway in case you do actually run SE Linux in permissive mode (run 'getenforce' to see mode) and other errors occur.


Quote:

Originally Posted by nbcohen (Post 3287228)
(Secondary question - is disabling SELinux a bad thing to do??)

While running SE Linux makes it look like it's harder to have "fun" with your machine it considerably increases the security posture of your machine. It does work and Real Life examples make it "combat-proven". Next to that a CMS isn't exactly the least vulnerable software around. A lot of times flaws are abused faster than the user updates the software. Next to that you're running F9. Reporting (Fedora bug tracker) any problems running it could help others and so help evolve this distribution. Every Fedora user should help. Taken all into account that makes yours a primary question to which the answer is "yes". Disabling SE Linux should not be an involuntary reflex or advice given out of laziness, and should only be disabled after reviewing other security measures and on a case by case basis.

nbcohen 09-21-2008 10:19 AM

SELinux/Fedora9
 
I did some digging and I found that SELinux is in fact enabled on my system. It can be put into 'permissive' mode where it will log actions but not deny them by editing /etc/selinux/config (this may be Fedora specific, other systems may do it differently)

Your suggestion of using chcon is one that I will look into.
The machine in question is inside my firewall and I'm doing some development testing on it - so running selinux in permissive mode will
probably be ok for this. But I agree that disabling it for a machine
running a net-connected web server is probably not the best idea.

Thanks for the help

nbc

unSpawn 09-21-2008 04:49 PM

Quote:

Originally Posted by nbcohen (Post 3287280)
editing /etc/selinux/config (this may be Fedora specific, other systems may do it differently)

AFAIK that's the default config location.


Quote:

Originally Posted by nbcohen (Post 3287280)
The machine in question is inside my firewall and I'm doing some development testing on it - so running selinux in permissive mode will probably be ok for this.

I'd add one condition: and no access over untrusted networks is allowed. Practice shows it's too easy to forget to enable the safety features before showing your work to a customer or allow somebody else to test it. Unfortunately that's not a mistake only amateurs make :-(


All times are GMT -5. The time now is 05:33 AM.