= a long arduous pile of pain setting up a gazillion selinux allowances.<br><br>dump audit log, restart httpd, test, get failure and generate possible solution with audit2allow -R<br>edit local-drupal_sux_selinux_hard.te and merge in new policy changes, make, make load<br>
repeat while noting with terror of all the things this environment is touching.<br><br>current te file (yes, it's only 14 iterations so far, I'm whining):<br><br>policy_module(local-fastcgi, 1.0.14)<br><br>require {<br>
type httpd_t;<br> type httpd_sys_content_t;<br> type httpd_suexec_t;<br> type httpd_sys_script_exec_t;<br> type home_root_t;<br> type security_t;<br> type semanage_t;<br> type load_policy_t;<br> type setfiles_t;<br>
class unix_stream_socket { read write shutdown };<br> class unix_stream_socket accept;<br> class unix_stream_socket { ioctl getattr };<br> class file { read getattr ioctl };<br> class file { write setattr };<br>
class file read;<br> class file execute;<br> class file execute_no_trans;<br> class file ioctl;<br> class dir { write create add_name };<br> class dir { write add_name };<br> class dir read;<br> class dir write;<br>
class dir create;<br> class dir setattr;<br> class process { siginh noatsecure rlimitinh };<br> class security check_context;<br> class process setfscreate;<br><br><br>}<br><br>#============= httpd_suexec_t ==============<br>
allow httpd_suexec_t home_root_t:file getattr;<br>allow httpd_suexec_t home_root_t:file execute;<br>allow httpd_suexec_t home_root_t:file read;<br>allow httpd_suexec_t home_root_t:file execute_no_trans;<br>allow httpd_suexec_t home_root_t:file ioctl;<br>
allow httpd_suexec_t httpd_sys_content_t:file { write setattr };<br>allow httpd_suexec_t httpd_sys_content_t:file ioctl;<br>allow httpd_suexec_t httpd_sys_content_t:dir write;<br>allow httpd_suexec_t httpd_sys_content_t:dir { write add_name };<br>
allow httpd_suexec_t httpd_sys_content_t:dir create;<br>allow httpd_suexec_t httpd_sys_content_t:dir setattr;<br>allow httpd_suexec_t httpd_t:unix_stream_socket { read write shutdown };<br>allow httpd_suexec_t httpd_t:unix_stream_socket { ioctl getattr };<br>
allow httpd_suexec_t httpd_t:unix_stream_socket accept;<br>allow httpd_suexec_t httpd_sys_script_exec_t:dir read;<br>allow httpd_suexec_t self:process setfscreate;<br>allow httpd_suexec_t security_t:file read;<br>allow httpd_suexec_t security_t:security check_context;<br>
kernel_read_system_state(httpd_suexec_t)<br>selinux_search_fs(httpd_suexec_t)<br>selinux_load_policy(httpd_suexec_t)<br>snmp_read_snmp_var_lib_files(httpd_suexec_t)<br>seutil_search_default_contexts(httpd_suexec_t)<br>seutil_read_config(httpd_suexec_t)<br>
seutil_read_file_contexts(httpd_suexec_t)<br>corenet_tcp_connect_http_port(httpd_suexec_t)<br>apache_read_sys_content(httpd_suexec_t)<br><br>#============= httpd_t ==============<br>allow httpd_t home_root_t:file { read getattr };<br>
allow httpd_t httpd_suexec_t:process { siginh signal rlimitinh sigkill noatsecure };<br>allow httpd_t self:process setfscreate;<br>allow httpd_t security_t:security check_context;<br>selinux_search_fs(httpd_t)<br>seutil_search_default_contexts(httpd_t)<br>
selinux_load_policy(httpd_t)<br>snmp_read_snmp_var_lib_files(httpd_t)<br><br>#============= semanage_t ==============<br>allow semanage_t load_policy_t:process { siginh rlimitinh noatsecure };<br>allow semanage_t setfiles_t:process { siginh rlimitinh noatsecure };<br>
<br>The really sour grapes part is I know the following part is just _wrong_<br>#============= httpd_suexec_t ==============<br>
allow httpd_suexec_t home_root_t:file getattr;<br>
allow httpd_suexec_t home_root_t:file execute;<br>
allow httpd_suexec_t home_root_t:file read;<br>
allow httpd_suexec_t home_root_t:file execute_no_trans;<br>
allow httpd_suexec_t home_root_t:file ioctl;<br><br>The file it's hitting (fcgi-bin/php5.fcgi) should NOT be set to home_root_t but should be set to httpd_sys_script_exec_t but for unknown reasons, chcon is blocked for changing the file context on that FCGIWrapper in the virtual hosts fcgi-bin dir. Even facls is correct. mod_fcgid sets a binary elsewhere but the simple fcgi file is copied from ??? or generated by virtualmin (ARGH!) It works fine but the busted context and blocked change has me stumped.<br>
<br>So the other alternative is to use the drupal rpm from EPEL with the hope they have the selinux contexts included, scavenge those from the post-install script section and also hope it works happy with virtualmin as that is a huge pile of perl I really don't want to start poking around in.<br>
<br>it's time for a beer (or three).<br><br>-- <br>-- <br>James P. Kinney III<br><br>As long as the general population is passive, apathetic, diverted to
consumerism or hatred of the vulnerable, then the powerful can do as
they please, and those who survive will be left to contemplate the
outcome.<br>- <i><i><i><i>2011 Noam Chomsky<br><br><a href="http://heretothereideas.blogspot.com/" target="_blank">http://heretothereideas.blogspot.com/</a><br></i></i></i></i><br>