SELinux Help

piercey · 06-25-2008, 06:47 AM

Hi everyone,

I'm trying to get a custom Apache build to work using SELinux.

Consider the following path (/Applications is a mount point I created):
/Applications/Apache/{conf,bin,htdocs,lib,etc}

All the Apache directories are stored in this directory structure. I've relabeled the filesystem using:

Code:

restorecon -R -v /Applications

Now all the files in the directory structure have the following context:

Code:

drwxr-xr-x  root sys system_u:object_r:default_t

Now, I want the httpd executable to run as the httpd_t type (like the default red hat apache). So I've attempted to relabel the sub folders in an attempt to use the same context as apache:

Code:

chcon -R -h -t httpd_sys_content_t /Applications/Apache/htdocs
chcon -R -h -t httpd_exec_t /Applications/Apache/bin
chcon -h -t httpd_suexec_exec_t /Applications/Apache/bin/suexec
chcon -R -h -t httpd_config_t /Applications/Apache/conf
chcon -R -h -t httpd_config_t /Applications/Apache/ssl
chcon -R -h -t httpd_log_t /Applications/Apache/logs
chcon -R -h -t httpd_modules_t /Applications/Apache/modules
chcon -R -h -t lib_t /Applications/Apache/lib

Now when I start Apache via my custom SYSVInit script it runs as the correct context, ie. "httpd_t". However I get a number of errors about the "default_t" label:

Code:

Jun 25 10:56:00 setroubleshoot: SELinux is preventing access to files with the default label, default_t.

The only help I've managed to find on this via google is the same message I get from setroubleshootd.

So this is where I'm stuck. I'm not sure what label these directories should be using. Is there any way to find out? Also when doing a relabel all the manual labeling I've done above is reset. Do I need to create a selinux policy for this in order to stop it relabeling these files as default_t ?

Any help on this is appreciated,

Cheers.

unSpawn · 06-25-2008, 07:40 AM

Quote:

Originally Posted by piercey

I'm trying to get a custom Apache build to work using SELinux.

Please fill in your distro info in your profile, makes it easier to customise any advice for what you use. Else (if this is embedded stuff) list what distro you use and any relevant details (or refer to another thread with that info) may speed things up.

Quote:

Originally Posted by piercey

Consider the following path (/Applications is a mount point I created): /Applications/Apache/{conf,bin,htdocs,lib,etc}
(..) Now all the files in the directory structure have the following context: drwxr-xr-x root sys system_u

bject_r:default_t

Quote:

Originally Posted by piercey

I get a number of errors about the "default_t" label

Quote:

Originally Posted by piercey

So this is where I'm stuck. I'm not sure what label these directories should be using. Is there any way to find out? Also when doing a relabel all the manual labeling I've done above is reset. Do I need to create a selinux policy for this in order to stop it relabeling these files as default_t ?

As the doc you refer to says, default_t is only a "catchall" usable if no other valid label exists.
There's a few ways getting things in order:
- If you installed the default httpd package you could check the context on the dirs that *contain* dirs Apache uses (ls -alZ /etc /var/ /usr) and pick the most appropriate one. If you check /usr you'd see it has "system_u

bject_r:usr_t". Opt (at least on my CentOS-5) has the same. You could conclude that /Applications (a horrible and non-LSB naming scheme IMNSHO) could have the same.
- You could easily use the AVC messages to adjust your policy using this script. Be warned though YMMV(VM) as usual, and because of the "grep 'default_t'" it only addresses those errors:

Code:

#!/bin/bash --
# Our root:
[ -d /root/selinux/modules ] || mkdir -p /root/selinux/modules
cd /root/selinux/modules || { echo error stage0; exit 1; }
# Generate plaintext policy
( cat /var/log/audit/audit.log; cat /var/log/messages ) | grep 'default_t' | audit2allow -M default_t || { echo error stage1; exit 1; }
# Check syntax:
checkmodule -M -m default_t.te || { echo error stage2; exit 1; }
# Write module:
checkmodule -M -m -o default_t.mod default_t.te || { echo error stage3; exit 1; }
# Package up module and extents:
semodule_package -o default_t.pp -m default_t.mod || { echo error stage4; exit 1; }
# Context for object:
chcon system_u:object_r:semanage_store_t default_t.*
# Install module
semodule -i default_t.pp || { echo error stage5; exit 1; } &&  { echo "SELinux loading of default_t.pp finished OK."; cd; }
exit 0

- You could add to the httpd policy, write your own one based on the httpd policy "template" or create a new one. Creating a new one using 'system-config-selinux', go to "Policy module", select "new" and follow the steps.

HTH.

piercey · 06-25-2008, 11:21 AM

Hi unSpawn. I'm using RHEL 5.2, fully up to date etc (although this is not the distro I use myself so it's not set in my profile). The version of apache I have to use is 2.0.x. I fully agree on the non-LSB naming scheme we're using, but unfortunately it wasn't my decision and not one I'll be able to change any time soon.

Anywho, thanks for the suggestions. I've managed to get rid of the default_t errors by taking your advice and using usr_t (at least for now, I plan to write a policy but I'm just doing it manually until I get it working).

I do now have what seems to be one final issue. The raw Audit message is as follows:

Code:

host=BLAH type=AVC msg=audit(1214405563.5:24): avc:  denied  { execmem } for  pid=2735 comm="httpd" 
scontext=root:system_r:httpd_t:s0 tcontext=root:system_r:httpd_t:s0 tclass=process

host=BLAH type=SYSCALL msg=audit(1214405563.5:24): arch=40000003 syscall=192 per=400000 success=no exit=-13 a0=0 
a1=a01000 a2=7 a3=22 items=0 ppid=2732 pid=2735 auid=0 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 
fsgid=500 tty=(none) ses=2 comm="httpd" exe="/Applications/Apache/bin/httpd" subj=root:system_r:httpd_t:s0 key=(null)

I'm not certain what this error stems from. I have Apache set up to use the worker MPM, and httpd runs under a user called "apache" which I created like so:

Code:

groupadd apache
useradd apache -c "Apache Server" -d /dev/null -g apache -s /sbin/nologin

Is there anything glaringly obvious I'm missing? Here's some more info from sealert, perhaps it will help in diagnosing what I'm leaving out.

Code:

Summary:

SELinux is preventing httpd (httpd_t) "execmem" to <Unknown> (httpd_t).

Detailed Description:

SELinux denied access requested by httpd. It is not expected that this access is
required by httpd and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                root:system_r:httpd_t
Target Context                root:system_r:httpd_t
Target Objects                None [ process ]
Source                        httpd
Source Path                   /Applications/Apache/bin/httpd
Port                          <Unknown>
Host                          BLAH
Source RPM Packages
Target RPM Packages
Policy RPM                    selinux-policy-2.4.6-137.el5
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     BLAH
Platform                      Linux BLAH 2.6.18-92.el5 #1 SMP Tue Apr 29

Thanks again, I really appreciate the help

unSpawn · 06-25-2008, 12:18 PM

Just run the message through 'audit2allow'.

Code:

echo 'host=BLAH type=AVC msg=audit(1214405563.5:24): avc:  denied  { execmem } for  pid=2735 comm="httpd" \
scontext=root:system_r:httpd_t:s0 tcontext=root:system_r:httpd_t:s0 tclass=process'|xargs|audit2allow

and you should get "allow httpd_t self

rocess execmem;". Check for / add the lines in the appropriate sections to your default_t.te: in section "require": "class process execmem;" and under "httpd_t": "allow httpd_t self

rocess execmem;", then reinstall (start from "checkmodule -M -m default_t.te").

piercey · 06-25-2008, 12:36 PM

Hi again, that's exactly what I did and ended up with this template:

Code:

module localhttpdt 1.0;

require {
        type httpd_t;
        class process execmem;
}

#============= httpd_t ==============
allow httpd_t self:process execmem;

Which I'm guessing will work, however I'd kind of like to understand why this is necessary in the first place rather than just using audit2allow and forgetting why this is needed

I'm guessing it has something to do with how apache forks new threads from the worker MPM but I'd of thought this would be covered by the default red hat apache policy after doing chcon on the required executables ?

I obviously didn't though, so if it's possible to fix this without resorting to a custom policy (just yet anyway) then that would be cool. In case you haven't noticed I've only started using selinux today so my knowledge of it is fairly limited so far.

Either way, thanks a lot for your help, I really appreciate it,

Cheers.

unSpawn · 06-25-2008, 02:59 PM

Quote:

Originally Posted by piercey

Hi again, that's exactly what I did and ended up with this template

Don't really have to add a separate one, could append it to the other one.

Quote:

Originally Posted by piercey

I obviously didn't though, so if it's possible to fix this without resorting to a custom policy (just yet anyway) then that would be cool.

Hmm. I don't know what the default Red Hat SELinux Policy or the Reference Policy say about it. Have to dig into that.