[ale] CEntOS 5.6 + PHP53 + Drupal6 + Selinux
Andrew Sledge
andrew at novologic.com
Thu Jul 28 13:49:06 EDT 2011
Is this running in your home directory? If so, you may have to remove
the selinux restrictions set on them.
setsebool httpd_enable_homedirs true
* ale-request at ale.org <ale-request at ale.org>:
>
> Message: 2
> Date: Wed, 27 Jul 2011 21:58:56 -0400
> From: Jim Kinney <jim.kinney at gmail.com>
> Subject: [ale] CEntOS 5.6 + PHP53 + Drupal6 + Selinux
> To: "Atlanta Linux Enthusiasts - Yes! We run Linux!" <ale at ale.org>
> Message-ID:
> <CAEo=5Pwa3ON32th4BOyrssfayg9tH6v5-HPS5r_MYkgF6jwOGw at mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> = a long arduous pile of pain setting up a gazillion selinux allowances.
>
> dump audit log, restart httpd, test, get failure and generate possible
> solution with audit2allow -R
> edit local-drupal_sux_selinux_hard.te and merge in new policy changes, make,
> make load
> repeat while noting with terror of all the things this environment is
> touching.
>
> current te file (yes, it's only 14 iterations so far, I'm whining):
>
> policy_module(local-fastcgi, 1.0.14)
>
> require {
> type httpd_t;
> type httpd_sys_content_t;
> type httpd_suexec_t;
> type httpd_sys_script_exec_t;
> type home_root_t;
> type security_t;
> type semanage_t;
> type load_policy_t;
> type setfiles_t;
> class unix_stream_socket { read write shutdown };
> class unix_stream_socket accept;
> class unix_stream_socket { ioctl getattr };
> class file { read getattr ioctl };
> class file { write setattr };
> class file read;
> class file execute;
> class file execute_no_trans;
> class file ioctl;
> class dir { write create add_name };
> class dir { write add_name };
> class dir read;
> class dir write;
> class dir create;
> class dir setattr;
> class process { siginh noatsecure rlimitinh };
> class security check_context;
> class process setfscreate;
>
>
> }
>
> #============= httpd_suexec_t ==============
> allow httpd_suexec_t home_root_t:file getattr;
> allow httpd_suexec_t home_root_t:file execute;
> allow httpd_suexec_t home_root_t:file read;
> allow httpd_suexec_t home_root_t:file execute_no_trans;
> allow httpd_suexec_t home_root_t:file ioctl;
> allow httpd_suexec_t httpd_sys_content_t:file { write setattr };
> allow httpd_suexec_t httpd_sys_content_t:file ioctl;
> allow httpd_suexec_t httpd_sys_content_t:dir write;
> allow httpd_suexec_t httpd_sys_content_t:dir { write add_name };
> allow httpd_suexec_t httpd_sys_content_t:dir create;
> allow httpd_suexec_t httpd_sys_content_t:dir setattr;
> allow httpd_suexec_t httpd_t:unix_stream_socket { read write shutdown };
> allow httpd_suexec_t httpd_t:unix_stream_socket { ioctl getattr };
> allow httpd_suexec_t httpd_t:unix_stream_socket accept;
> allow httpd_suexec_t httpd_sys_script_exec_t:dir read;
> allow httpd_suexec_t self:process setfscreate;
> allow httpd_suexec_t security_t:file read;
> allow httpd_suexec_t security_t:security check_context;
> kernel_read_system_state(httpd_suexec_t)
> selinux_search_fs(httpd_suexec_t)
> selinux_load_policy(httpd_suexec_t)
> snmp_read_snmp_var_lib_files(httpd_suexec_t)
> seutil_search_default_contexts(httpd_suexec_t)
> seutil_read_config(httpd_suexec_t)
> seutil_read_file_contexts(httpd_suexec_t)
> corenet_tcp_connect_http_port(httpd_suexec_t)
> apache_read_sys_content(httpd_suexec_t)
>
> #============= httpd_t ==============
> allow httpd_t home_root_t:file { read getattr };
> allow httpd_t httpd_suexec_t:process { siginh signal rlimitinh sigkill
> noatsecure };
> allow httpd_t self:process setfscreate;
> allow httpd_t security_t:security check_context;
> selinux_search_fs(httpd_t)
> seutil_search_default_contexts(httpd_t)
> selinux_load_policy(httpd_t)
> snmp_read_snmp_var_lib_files(httpd_t)
>
> #============= semanage_t ==============
> allow semanage_t load_policy_t:process { siginh rlimitinh noatsecure };
> allow semanage_t setfiles_t:process { siginh rlimitinh noatsecure };
>
> The really sour grapes part is I know the following part is just _wrong_
> #============= httpd_suexec_t ==============
> allow httpd_suexec_t home_root_t:file getattr;
> allow httpd_suexec_t home_root_t:file execute;
> allow httpd_suexec_t home_root_t:file read;
> allow httpd_suexec_t home_root_t:file execute_no_trans;
> allow httpd_suexec_t home_root_t:file ioctl;
>
> The file it's hitting (fcgi-bin/php5.fcgi) should NOT be set to home_root_t
> but should be set to httpd_sys_script_exec_t but for unknown reasons, chcon
> is blocked for changing the file context on that FCGIWrapper in the virtual
> hosts fcgi-bin dir. Even facls is correct. mod_fcgid sets a binary elsewhere
> but the simple fcgi file is copied from ??? or generated by virtualmin
> (ARGH!) It works fine but the busted context and blocked change has me
> stumped.
>
> So the other alternative is to use the drupal rpm from EPEL with the hope
> they have the selinux contexts included, scavenge those from the
> post-install script section and also hope it works happy with virtualmin as
> that is a huge pile of perl I really don't want to start poking around in.
>
> it's time for a beer (or three).
>
> --
> --
> James P. Kinney III
>
> As long as the general population is passive, apathetic, diverted to
> consumerism or hatred of the vulnerable, then the powerful can do as they
> please, and those who survive will be left to contemplate the outcome.
> - *2011 Noam Chomsky
>
> http://heretothereideas.blogspot.com/
> *
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: http://mail.ale.org/pipermail/ale/attachments/20110727/5af4f8cd/attachment-0001.html
>
>
> End of Ale Digest, Vol 42, Issue 82
> ***********************************
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 490 bytes
Desc: Digital signature
Url : http://mail.ale.org/pipermail/ale/attachments/20110728/3dbe9fed/attachment.bin
More information about the Ale
mailing list