[ale] CEntOS 5.6 + PHP53 + Drupal6 + Selinux

Andrew Sledge andrew at novologic.com
Thu Jul 28 13:49:06 EDT 2011


Is this running in your home directory? If so, you may have to remove
the selinux restrictions set on them.

setsebool httpd_enable_homedirs true

* ale-request at ale.org <ale-request at ale.org>:
> 
> Message: 2
> Date: Wed, 27 Jul 2011 21:58:56 -0400
> From: Jim Kinney <jim.kinney at gmail.com>
> Subject: [ale] CEntOS 5.6 + PHP53 + Drupal6 + Selinux
> To: "Atlanta Linux Enthusiasts - Yes! We run Linux!" <ale at ale.org>
> Message-ID:
> 	<CAEo=5Pwa3ON32th4BOyrssfayg9tH6v5-HPS5r_MYkgF6jwOGw at mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
> 
> = a long arduous pile of pain setting up a gazillion selinux allowances.
> 
> dump audit log, restart httpd, test, get failure and generate possible
> solution with audit2allow -R
> edit local-drupal_sux_selinux_hard.te and merge in new policy changes, make,
> make load
> repeat while noting with terror of all the things this environment is
> touching.
> 
> current te file (yes, it's only 14 iterations so far, I'm whining):
> 
> policy_module(local-fastcgi, 1.0.14)
> 
> require {
>     type httpd_t;
>     type httpd_sys_content_t;
>     type httpd_suexec_t;
>     type httpd_sys_script_exec_t;
>     type home_root_t;
>     type security_t;
>     type semanage_t;
>     type load_policy_t;
>     type setfiles_t;
>     class unix_stream_socket { read write shutdown };
>     class unix_stream_socket accept;
>     class unix_stream_socket { ioctl getattr };
>     class file { read getattr ioctl };
>     class file { write setattr };
>     class file read;
>     class file execute;
>     class file execute_no_trans;
>     class file ioctl;
>     class dir { write create add_name };
>     class dir { write add_name };
>     class dir read;
>     class dir write;
>     class dir create;
>     class dir setattr;
>     class process { siginh noatsecure rlimitinh };
>     class security check_context;
>     class process setfscreate;
> 
> 
> }
> 
> #============= httpd_suexec_t ==============
> allow httpd_suexec_t home_root_t:file getattr;
> allow httpd_suexec_t home_root_t:file execute;
> allow httpd_suexec_t home_root_t:file read;
> allow httpd_suexec_t home_root_t:file execute_no_trans;
> allow httpd_suexec_t home_root_t:file ioctl;
> allow httpd_suexec_t httpd_sys_content_t:file { write setattr };
> allow httpd_suexec_t httpd_sys_content_t:file ioctl;
> allow httpd_suexec_t httpd_sys_content_t:dir write;
> allow httpd_suexec_t httpd_sys_content_t:dir { write add_name };
> allow httpd_suexec_t httpd_sys_content_t:dir create;
> allow httpd_suexec_t httpd_sys_content_t:dir setattr;
> allow httpd_suexec_t httpd_t:unix_stream_socket { read write shutdown };
> allow httpd_suexec_t httpd_t:unix_stream_socket { ioctl getattr };
> allow httpd_suexec_t httpd_t:unix_stream_socket accept;
> allow httpd_suexec_t httpd_sys_script_exec_t:dir read;
> allow httpd_suexec_t self:process setfscreate;
> allow httpd_suexec_t security_t:file read;
> allow httpd_suexec_t security_t:security check_context;
> kernel_read_system_state(httpd_suexec_t)
> selinux_search_fs(httpd_suexec_t)
> selinux_load_policy(httpd_suexec_t)
> snmp_read_snmp_var_lib_files(httpd_suexec_t)
> seutil_search_default_contexts(httpd_suexec_t)
> seutil_read_config(httpd_suexec_t)
> seutil_read_file_contexts(httpd_suexec_t)
> corenet_tcp_connect_http_port(httpd_suexec_t)
> apache_read_sys_content(httpd_suexec_t)
> 
> #============= httpd_t ==============
> allow httpd_t home_root_t:file { read getattr };
> allow httpd_t httpd_suexec_t:process { siginh signal rlimitinh sigkill
> noatsecure };
> allow httpd_t self:process setfscreate;
> allow httpd_t security_t:security check_context;
> selinux_search_fs(httpd_t)
> seutil_search_default_contexts(httpd_t)
> selinux_load_policy(httpd_t)
> snmp_read_snmp_var_lib_files(httpd_t)
> 
> #============= semanage_t ==============
> allow semanage_t load_policy_t:process { siginh rlimitinh noatsecure };
> allow semanage_t setfiles_t:process { siginh rlimitinh noatsecure };
> 
> The really sour grapes part is I know the following part is just _wrong_
> #============= httpd_suexec_t ==============
> allow httpd_suexec_t home_root_t:file getattr;
> allow httpd_suexec_t home_root_t:file execute;
> allow httpd_suexec_t home_root_t:file read;
> allow httpd_suexec_t home_root_t:file execute_no_trans;
> allow httpd_suexec_t home_root_t:file ioctl;
> 
> The file it's hitting (fcgi-bin/php5.fcgi) should NOT be set to home_root_t
> but should be set to httpd_sys_script_exec_t but for unknown reasons, chcon
> is blocked for changing the file context on that FCGIWrapper  in the virtual
> hosts fcgi-bin dir. Even facls is correct. mod_fcgid sets a binary elsewhere
> but the simple fcgi file is copied from ??? or generated by virtualmin
> (ARGH!) It works fine but the busted context and blocked change has me
> stumped.
> 
> So the other alternative is to use the drupal rpm from EPEL with the hope
> they have the selinux contexts included, scavenge those from the
> post-install script section and also hope it works happy with virtualmin as
> that is a huge pile of perl I really don't want to start poking around in.
> 
> it's time for a beer (or three).
> 
> -- 
> -- 
> James P. Kinney III
> 
> As long as the general population is passive, apathetic, diverted to
> consumerism or hatred of the vulnerable, then the powerful can do as they
> please, and those who survive will be left to contemplate the outcome.
> - *2011 Noam Chomsky
> 
> http://heretothereideas.blogspot.com/
> *
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: http://mail.ale.org/pipermail/ale/attachments/20110727/5af4f8cd/attachment-0001.html 
> 
> 
> End of Ale Digest, Vol 42, Issue 82
> ***********************************

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 490 bytes
Desc: Digital signature
Url : http://mail.ale.org/pipermail/ale/attachments/20110728/3dbe9fed/attachment.bin 


More information about the Ale mailing list