LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices

Reply
 
Search this Thread
Old 09-21-2008, 09:09 AM   #1
nbcohen
Member
 
Registered: Mar 2003
Location: Northern Virginia
Distribution: RH Enterprise, Fedora
Posts: 96

Rep: Reputation: 17
Problem with SELinux on Fedora 9


I'm attempting to install a CMS on my Fedora 9 system. I thought I had installed the OS with SELinux in 'warning' mode - when I try to install the CMS, I get this error:

SELinux prevented httpd reading and writing access to http files. Ordinarily httpd is allowed full access to all files labeled with http file context. This machine has a tightened security policy with the httpd_unified turned off, this requires explicit labeling of all files. If a file is a cgi script it needs to be labeled with httpd_TYPE_script_exec_t in order to be executed. If it is read-only content, it needs to be labeled httpd_TYPE_content_t, it is writable content. it needs to be labeled httpd_TYPE_script_rw_t or httpd_TYPE_script_ra_t. You can use the chcon command to change these contexts. Please refer to the man page "man httpd_selinux" or FAQ "TYPE" refers to one of "sys", "user" or "staff" or potentially other script types.

The suggested fix is:

Fix Command: setsebool -P httpd_unified=1

I can run setsebool on the command line and it doesn't seem to complain. But then re-running my CMS install brings up the same error.

Question - is there an easy way to bypass this? Is there an easy way to just disable SELinux? (Secondary question - is disabling SELinux a bad thing to do??)

Thanks,

nbc
 
Old 09-21-2008, 10:09 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,311
Blog Entries: 54

Rep: Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860
Quote:
Originally Posted by nbcohen View Post
I can run setsebool on the command line and it doesn't seem to complain. But then re-running my CMS install brings up the same error.
While I am not familiar with the F9 SE Linux policy and don't know the "this machine has a tightened security policy" part, the text points to running 'chcon' on the files the webserver should access. For that you need to know which files need to be accessed and in what way. Checking your syslog and access_log may hold more clues. Checking (error_)logs is good anyway in case you do actually run SE Linux in permissive mode (run 'getenforce' to see mode) and other errors occur.


Quote:
Originally Posted by nbcohen View Post
(Secondary question - is disabling SELinux a bad thing to do??)
While running SE Linux makes it look like it's harder to have "fun" with your machine it considerably increases the security posture of your machine. It does work and Real Life examples make it "combat-proven". Next to that a CMS isn't exactly the least vulnerable software around. A lot of times flaws are abused faster than the user updates the software. Next to that you're running F9. Reporting (Fedora bug tracker) any problems running it could help others and so help evolve this distribution. Every Fedora user should help. Taken all into account that makes yours a primary question to which the answer is "yes". Disabling SE Linux should not be an involuntary reflex or advice given out of laziness, and should only be disabled after reviewing other security measures and on a case by case basis.
 
Old 09-21-2008, 10:19 AM   #3
nbcohen
Member
 
Registered: Mar 2003
Location: Northern Virginia
Distribution: RH Enterprise, Fedora
Posts: 96

Original Poster
Rep: Reputation: 17
SELinux/Fedora9

I did some digging and I found that SELinux is in fact enabled on my system. It can be put into 'permissive' mode where it will log actions but not deny them by editing /etc/selinux/config (this may be Fedora specific, other systems may do it differently)

Your suggestion of using chcon is one that I will look into.
The machine in question is inside my firewall and I'm doing some development testing on it - so running selinux in permissive mode will
probably be ok for this. But I agree that disabling it for a machine
running a net-connected web server is probably not the best idea.

Thanks for the help

nbc
 
Old 09-21-2008, 04:49 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,311
Blog Entries: 54

Rep: Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860
Quote:
Originally Posted by nbcohen View Post
editing /etc/selinux/config (this may be Fedora specific, other systems may do it differently)
AFAIK that's the default config location.


Quote:
Originally Posted by nbcohen View Post
The machine in question is inside my firewall and I'm doing some development testing on it - so running selinux in permissive mode will probably be ok for this.
I'd add one condition: and no access over untrusted networks is allowed. Practice shows it's too easy to forget to enable the safety features before showing your work to a customer or allow somebody else to test it. Unfortunately that's not a mistake only amateurs make :-(
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
SELinux problem with Zend Optimizer on Fedora release 7 gnetcon Linux - Software 3 03-29-2009 09:19 PM
A great article on Fedora SELINUX mickeyboa Fedora 0 02-26-2008 09:46 AM
Problem with administration SELinux in Fedora 7 Alex_Saf Fedora 2 07-25-2007 12:47 AM
SElinux causing Apache/httpd problem on Fedora 6 badengineer Linux - Security 1 06-04-2007 10:47 AM
Fedora 2 with SELINUX startup errors Pisces107 Fedora 4 09-26-2004 01:08 AM


All times are GMT -5. The time now is 11:32 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration