LinuxQuestions.org - fossil, mongoose, and SELinux

- Fedora (https://www.linuxquestions.org/questions/fedora-35/)

- - fossil, mongoose, and SELinux (https://www.linuxquestions.org/questions/fedora-35/fossil-mongoose-and-selinux-938800/)

fossil, mongoose, and SELinux

Instructions to confine fossil and mongoose in SELinux.

This configuration serves multiple fossil projects over HTTPS on Fedora 16.

Mongoose is a small web server. Like fossil, it is a single binary.

Create fossil user

Code:

# useradd -m fossil

# chmod a+rx /home/fossil

# passwd fossil

# su - fossil

$ mkdir -p fossils local/{bin,etc,log,src,tmp} public_html

$ touch local/log/{access,error}_log

Install fossil

Code:

$ cd

$ cd local/src

$ curl -O http://www.fossil-scm.org/download/fossil-src-20120317175325.tar.gz

$ tar zxf fossil*.tar.gz

$ cd fossil*5

$ ./configure --prefix=/home/fossil/local

$ make

$ mv fossil ~/local/bin/

Create fossil repository

Code:

$ cd

$ cd fossils

$ ~/local/bin/fossil init project1.fossil | tee ~/project1.txt

Install mongoose

Code:

$ cd

$ cd local/src

$ curl -O http://mongoose.googlecode.com/files/mongoose-3.1.tgz

$ tar zxf mongoose*.tgz

$ cd mongoose

$ make linux

$ mv mongoose ~/local/bin/

Create self-signed SSL certificate

Code:

$ cd

$ cp /etc/ssl/certs/make-dummy-cert ~/local/bin/makecert.sh

* Edit answers section of makecert.sh as desired

$ ~/local/bin/makecert.sh ./local/etc/fossil.pem

Create mongoose configuration

Code:

$ cd

$ cat >./local/etc/mongoose.conf <<__EOF__

access_log_file /home/fossil/local/log/access_log

authentication_domain fossil.domain.tld

document_root /home/fossil/public_html

error_log_file /home/fossil/local/log/error_log

listening_ports 80,443s

run_as_user fossil

ssl_certificate /home/fossil/local/etc/fossil.pem

__EOF__

Create CGI interface

* See http://www.fossil-scm.org/fossil/doc...ww/server.wiki

Code:

$ cd

$ cd public_html

$ cat >fossil.cgi <<'__EOF__'

#!/bin/dash



# mongoose 3.1 does not set environment variables as expected.



# Correct PATH_INFO to be the part of REQUEST_URI after the .cgi script

export PATH_INFO=${REQUEST_URI##*.cgi}



# Correct SCRIPT_NAME to be only the .cgi script

export SCRIPT_NAME=${REQUEST_URI%$PATH_INFO}



# set TMP_DIR and TMPDIR to avoid /tmp

export TMP_DIR=/home/fossil/local/tmp

export TMPDIR=/home/fossil/local/tmp



exec /home/fossil/public_html/fossil.helper $PATH_INFO

__EOF__

$ chmod +x fossil.cgi

$ cat >fossil.helper <<__EOF__

#!/home/fossil/local/bin/fossil

directory: /home/fossil/fossils

notfound: http://127.0.0.1/not-found.html

__EOF__

$ chmod +x fossil.helper

$ cat >index.html <<__EOF__

<html>

<head><title>fossil project</title></head>

<body><a href="/fossil.cgi/project1">project1</a></body>

</html>

__EOF__

$ cat >not-found.html <<__EOF__

<html>

<head><title>not found</title></head>

<body><p>not found</p><a href="/">home</a></body>

</html>

__EOF__

$ exit

Run service when system starts

Code:

# cat >/etc/rc.d/rc.local <<__EOF__

#!/bin/dash

/usr/sbin/daemonize /home/fossil/local/bin/mongoose /home/fossil/local/etc/mongoose.conf

__EOF__

# chmod +x /etc/rc.d/rc.local

Correct security settings

* See http://fedoraproject.org/wiki/SELinux/apache

Code:

# restorecon /etc/rc.d/rc.local

# setsebool -P httpd_enable_cgi 1

# setsebool -P httpd_enable_homedirs 1

# setsebool -P httpd_read_user_content 1

# setsebool -P httpd_unified 1

# restorecon -R /home/fossil/public_html

# chcon system_u:object_r:httpd_exec_t:s0 /home/fossil/local/bin/mongoose

# chcon system_u:object_r:httpd_exec_t:s0 /home/fossil/local/bin/fossil

# chcon -R -t httpd_user_rw_content_t /home/fossil/fossils

# chcon -R -t httpd_user_rw_content_t /home/fossil/local/{log,tmp}

# chcon -t httpd_user_content_t /home/fossil/local/etc/fossil.pem

# chcon -t httpd_user_content_t /home/fossil/local/etc/mongoose.conf

# chcon -t httpd_user_script_exec_t /home/fossil/public_html/*.cgi

# chcon -t httpd_user_script_exec_t /home/fossil/public_html/*.helper

# iptables -I INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT

# iptables -I INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT

# iptables-save

Start mongoose

Code:

# systemctl start rc-local.service

Test fossil access

* Browse to https://127.0.0.1/fossil.cgi/project1

Quote:

Originally Posted by BenCollver2 (Post 4647918)

Instructions to confine fossil and mongoose in SELinux.

Thanks, good documentation. Only things I think are up for improvement are:

Quote:

Originally Posted by BenCollver2 (Post 4647918)

Run service when system starts

Since it's Fedora 16 shouldn't you be creating a "mongoose.service" systemd script instead of using /etc/rc.d/rc.local? That way you can enable and control service usage better.

Quote:

Originally Posted by BenCollver2 (Post 4647918)

Correct security settings

Use of chcon should be combined with "semanage fcontext" to make changes stick.

Quote:

Originally Posted by BenCollver2 (Post 4647918)

Start mongoose

...if you create "mongoose.service" then this should become 'systemctl enable mongoose.service; systemctl start mongoose.service'.

//NTLB

unSpawn, thanks for the feedback. As suggested, below are rewrites for the last few sections.

-Ben

Run service when system starts

Code:

# udir=$(pkg-config systemd --variable=systemdsystemunitdir)

# cat >$udir/mongoose.service <<__EOF__

[Unit]

Description=Mongoose httpd

After=syslog.target network.target remote-fs.target nss-lookup.target



[Service]

ExecStart=/home/fossil/local/bin/mongoose /home/fossil/local/etc/mongoose.conf

Type=simple



[Install]

WantedBy=multi-user.target

__EOF__

# systemctl enable mongoose.service

Correct security settings
* See http://fedoraproject.org/wiki/SELinux/apache

Code:

# setsebool -P httpd_enable_cgi 1

# setsebool -P httpd_enable_homedirs 1

# setsebool -P httpd_read_user_content 1

# setsebool -P httpd_unified 1

# semanage fcontext -a -t httpd_exec_t /home/fossil/local/bin/fossil

# semanage fcontext -a -t httpd_exec_t /home/fossil/local/bin/mongoose

# semanage fcontext -a -t httpd_user_rw_content_t '/home/fossil/fossils(/.*)?'

# semanage fcontext -a -t httpd_user_rw_content_t '/home/fossil/local/(log|tmp)(/.*)?'

# semanage fcontext -a -t httpd_user_content_t /home/fossil/local/etc/fossil.pem

# semanage fcontext -a -t httpd_user_content_t /home/fossil/local/etc/mongoose.conf

# semanage fcontext -a -t httpd_user_script_exec_t '/home/fossil/public_html/.*\.cgi'

# semanage fcontext -a -t httpd_user_script_exec_t '/home/fossil/public_html/.*\.helper'

# restorecon -R /home/fossil/public_html

# restorecon /home/fossil/local/bin/mongoose

# restorecon /home/fossil/local/bin/fossil

# restorecon -R /home/fossil/fossils

# restorecon -R /home/fossil/local/{log,tmp}

# restorecon /home/fossil/local/etc/fossil.pem

# restorecon /home/fossil/local/etc/mongoose.conf

# iptables -I INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT

# iptables -I INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT

# iptables-save

Start mongoose

Code:

# systemctl start mongoose.service

Test fossil access
* Browse to https://127.0.0.1/fossil.cgi/project1