httpd-selinux. Real pleasure. Who can explain this?

mazonka · 11-23-2005, 07:36 PM

Read the following carefully. I am sure you will enjoy this, if this is not trivial for you (it was not for me).
I cannot give good explanation to the following.

[root@srv www]# pwd
/var/www
[root@srv www]# ls
cgi-bin error icons
[root@srv www]# /usr/sbin/httpd -t
Syntax error on line 266 of /etc/httpd/conf/httpd.conf:
DocumentRoot must be a directory
[root@srv www]# mkdir html
[root@srv www]# /usr/sbin/httpd -t
Syntax OK
[root@srv www]# /etc/init.d/httpd start
Starting httpd: [ OK ]
[root@srv www]# /etc/init.d/httpd stop
Stopping httpd: [ OK ]
[root@srv www]# ls -l
total 32
drwxr-xr-x 2 root root 4096 Sep 2 11:56 cgi-bin
drwxr-xr-x 3 root root 4096 Nov 23 11:24 error
drwxr-xr-x 2 root root 4096 Nov 24 11:37 html
drwxr-xr-x 3 root root 4096 Nov 23 11:24 icons
[root@srv www]# mv html html.ok
[root@srv www]# ls -l /home/john/html
total 0
[root@srv www]# mv /home/john/html ./
[root@srv www]# ls -l
total 40
drwxr-xr-x 2 root root 4096 Sep 2 11:56 cgi-bin
drwxr-xr-x 3 root root 4096 Nov 23 11:24 error
drwxr-xr-x 2 john pub 4096 Nov 24 11:35 html
drwxr-xr-x 2 root root 4096 Nov 24 11:37 html.ok
drwxr-xr-x 3 root root 4096 Nov 23 11:24 icons

[root@srv www]# /etc/init.d/httpd start
Starting httpd: [FAILED]
[root@srv www]# /etc/init.d/httpd stop
Stopping httpd: [FAILED]
[root@srv www]# chown root html; chgrp root html
[root@srv www]# ls -l
total 40
drwxr-xr-x 2 root root 4096 Sep 2 11:56 cgi-bin
drwxr-xr-x 3 root root 4096 Nov 23 11:24 error
drwxr-xr-x 2 root root 4096 Nov 24 11:35 html
drwxr-xr-x 2 root root 4096 Nov 24 11:37 html.ok
drwxr-xr-x 3 root root 4096 Nov 23 11:24 icons
[root@srv www]# /etc/init.d/httpd start
Starting httpd: [FAILED]
[root@srv www]# /etc/init.d/httpd stop
Stopping httpd: [FAILED]
[root@srv www]# mv html html.bad
[root@srv www]# mv html.ok html
[root@srv www]# /etc/init.d/httpd start
Starting httpd: [ OK ]
[root@srv www]# /etc/init.d/httpd stop
Stopping httpd: [ OK ]
[root@srv www]# ls -l
total 40
drwxr-xr-x 2 root root 4096 Sep 2 11:56 cgi-bin
drwxr-xr-x 3 root root 4096 Nov 23 11:24 error
drwxr-xr-x 2 root root 4096 Nov 24 11:37 html
drwxr-xr-x 2 root root 4096 Nov 24 11:35 html.bad
drwxr-xr-x 3 root root 4096 Nov 23 11:24 icons

[root@srv www]# ls -l html html.bad
html:
total 0

html.bad:
total 0
[root@srv www]# mv html html.ok
[root@srv www]# mv html.bad html
[root@srv www]# /etc/init.d/httpd start
Starting httpd: [FAILED]
[root@srv www]# /etc/init.d/httpd stop
Stopping httpd: [FAILED]
[root@srv www]# sh /etc/init.d/httpd start
Starting httpd: [ OK ]
[root@srv www]# /etc/init.d/httpd stop
Stopping httpd: [ OK ]
[root@srv www]#

Up to here it was a mistery. Now some light...

[root@srv www]# mv html html.bad
[root@srv www]# ls -l
total 40
drwxr-xr-x 2 root root 4096 Sep 2 11:56 cgi-bin
drwxr-xr-x 3 root root 4096 Nov 23 11:24 error
drwxr-xr-x 2 root root 4096 Nov 24 11:35 html.bad
drwxr-xr-x 2 root root 4096 Nov 24 11:37 html.ok
drwxr-xr-x 3 root root 4096 Nov 23 11:24 icons
[root@srv www]# ls -lZ
drwxr-xr-x root root system_u:object_r:httpd_sys_script_exec_t cgi-bin
drwxr-xr-x root root system_u:object_r:httpd_sys_content_t error
drwxr-xr-x root root user_u:object_r:user_home_t html.bad
drwxr-xr-x root root root:object_r:httpd_sys_content_t html.ok
drwxr-xr-x root root system_u:object_r:httpd_sys_content_t icons
[root@srv www]#

Any comments?

spooon · 11-24-2005, 03:06 PM

This document might help: http://fedora.redhat.com/docs/selinux-apache-fc3/

sundialsvcs · 11-24-2005, 03:26 PM

What a picture-perfect example of how "hardened" Linux systems are different ... and of why.

Under normal conditions, an intruder could easily have prepared a new directory, and with two commands could have moved it into place, where it would have been accepted. But security contexts thwarted it. It's no longer simply a matter of where the stuff is, nor what it is named; now, there must be more.