FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 12-04-2009, 03:35 AM
David Highley
 
Default Virtual http hosting and selinux

A common virtual web hosting set up would be a web root directory
location with the following sub directories:
ftp
logs
pages
pages/cgi-bin

Under ftp you would have all that is needed for a chroot ftp sandbox.
Since each virtual host would be a different user and or company how
does one change sebool httpd_unified to off and get it all to work with
selinux?

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 12-04-2009, 08:42 AM
Dominick Grift
 
Default Virtual http hosting and selinux

On Thu, Dec 03, 2009 at 08:35:56PM -0800, David Highley wrote:
> A common virtual web hosting set up would be a web root directory
> location with the following sub directories:
> ftp
> logs
> pages
> pages/cgi-bin
>
> Under ftp you would have all that is needed for a chroot ftp sandbox.
> Since each virtual host would be a different user and or company how
> does one change sebool httpd_unified to off and get it all to work with
> selinux?

Well PHP needs httpd_unified but if you use CGI like perl or c or bash or whatever then basically you would set httpd_enable_cgi and httpd_builtin_scripting booleans. Then label the locations with a proper type.

for example:

# ftp:
/srv/ftproot(/.*)? public_content_rw_t
setsebool -P allow_ftpd_anon_write on (allow ftpd to write to /srv/ftproot
setsebool -P allow_httpd_anon_write on (allow httpd to write to /srv/ftproot) (for php/httpd unified)
setsebool -P allow_httpd_sys_script_anon_write on (allow httpd system cgi scripts to write to /srv/ftproot (other cgi)

# logs
/srv/www/logs(/.*)? httpd_sys_content_ra_t

# static content
/srv/www/html(/.*)? httpd_sys_content_t

# cgi
/srv/www/cgi-bin(/.*)? httpd_sys_script_exec_t

The above is just an example. It may or may not be what you would want.

>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 12-04-2009, 01:45 PM
David Highley
 
Default Virtual http hosting and selinux

"Dominick Grift wrote:"
>
>
> --===============0256136332==
> Content-Type: multipart/signed; micalg=pgp-sha1;
> protocol="application/pgp-signature"; boundary="Fig2xvG2VGoz8o/s"
> Content-Disposition: inline
>
>
> --Fig2xvG2VGoz8o/s
> Content-Type: text/plain; charset=us-ascii
> Content-Disposition: inline
> Content-Transfer-Encoding: quoted-printable
>
> On Thu, Dec 03, 2009 at 08:35:56PM -0800, David Highley wrote:
> > A common virtual web hosting set up would be a web root directory
> > location with the following sub directories:
> > ftp
> > logs
> > pages
> > pages/cgi-bin
> >=20
> > Under ftp you would have all that is needed for a chroot ftp sandbox.
> > Since each virtual host would be a different user and or company how
> > does one change sebool httpd_unified to off and get it all to work with
> > selinux?
>
> Well PHP needs httpd_unified but if you use CGI like perl or c or bash or w=
> hatever then basically you would set httpd_enable_cgi and httpd_builtin_scr=
> ipting booleans. Then label the locations with a proper type.

I'm not sure the statement that PHP needs httpd_unified on is correct in
Fedora 12. I just finished doing some testing of Mythtv with this
setting turned off. I tested all TV recording, weather, and streaming
video available through the web interace and it all seems to be working
now. Granted there is a lot more to full backend Mythtv setup but it was
looking pretty good. Dan has put in two policy updates which should be
out pretty soon.

I'm not done, but I also ran a quick test of squirrelmail with dovecot
for off site email access and that appears to be working. Squirrelmail
is all PHP.

>
> for example:
>
> # ftp:
> /srv/ftproot(/.*)? public_content_rw_t
> setsebool -P allow_ftpd_anon_write on (allow ftpd to write to /srv/ftproot
> setsebool -P allow_httpd_anon_write on (allow httpd to write to /srv/ftproo=
> t) (for php/httpd unified)
> setsebool -P allow_httpd_sys_script_anon_write on (allow httpd system cgi s=
> cripts to write to /srv/ftproot (other cgi)
>
> # logs
> /srv/www/logs(/.*)? httpd_sys_content_ra_t=20
>
> # static content
> /srv/www/html(/.*)? httpd_sys_content_t
>
> # cgi
> /srv/www/cgi-bin(/.*)? httpd_sys_script_exec_t
>
> The above is just an example. It may or may not be what you would want.
>
> >=20
> > --
> > fedora-selinux-list mailing list
> > fedora-selinux-list@redhat.com
> > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
> --Fig2xvG2VGoz8o/s
> Content-Type: application/pgp-signature
> Content-Disposition: inline
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (GNU/Linux)
>
> iEYEARECAAYFAksY2X4ACgkQMlxVo39jgT84SgCffFYU9S9JDB 05qOuelRkKZgxR
> PO8AoKssSIRvpVYEuZXCZOYZUXd9SZ0r
> =nF/1
> -----END PGP SIGNATURE-----
>
> --Fig2xvG2VGoz8o/s--
>
>
> --===============0256136332==
> Content-Type: text/plain; charset="us-ascii"
> MIME-Version: 1.0
> Content-Transfer-Encoding: 7bit
> Content-Disposition: inline
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> --===============0256136332==--
>


--

Regards,

David Highley
Highley Recommended, Inc. Phone: (206) 669-0081
2927 SW 339th Street WEB: http://www.highley-recommended.com
Federal Way, WA 98023-7732

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 12-04-2009, 01:57 PM
Dominick Grift
 
Default Virtual http hosting and selinux

On Fri, Dec 04, 2009 at 06:45:39AM -0800, David Highley wrote:
> "Dominick Grift wrote:"
> >
> >
> > --===============0256136332==
> > Content-Type: multipart/signed; micalg=pgp-sha1;
> > protocol="application/pgp-signature"; boundary="Fig2xvG2VGoz8o/s"
> > Content-Disposition: inline
> >
> >
> > --Fig2xvG2VGoz8o/s
> > Content-Type: text/plain; charset=us-ascii
> > Content-Disposition: inline
> > Content-Transfer-Encoding: quoted-printable
> >
> > On Thu, Dec 03, 2009 at 08:35:56PM -0800, David Highley wrote:
> > > A common virtual web hosting set up would be a web root directory
> > > location with the following sub directories:
> > > ftp
> > > logs
> > > pages
> > > pages/cgi-bin
> > >=20
> > > Under ftp you would have all that is needed for a chroot ftp sandbox.
> > > Since each virtual host would be a different user and or company how
> > > does one change sebool httpd_unified to off and get it all to work with
> > > selinux?
> >
> > Well PHP needs httpd_unified but if you use CGI like perl or c or bash or w=
> > hatever then basically you would set httpd_enable_cgi and httpd_builtin_scr=
> > ipting booleans. Then label the locations with a proper type.
>
> I'm not sure the statement that PHP needs httpd_unified on is correct in
> Fedora 12. I just finished doing some testing of Mythtv with this
> setting turned off. I tested all TV recording, weather, and streaming
> video available through the web interace and it all seems to be working
> now. Granted there is a lot more to full backend Mythtv setup but it was
> looking pretty good. Dan has put in two policy updates which should be
> out pretty soon.
>
> I'm not done, but I also ran a quick test of squirrelmail with dovecot
> for off site email access and that appears to be working. Squirrelmail
> is all PHP.

Do your php scripts run with the httpd_sys_script_t or with the httpd_t type?
>
> >
> > for example:
> >
> > # ftp:
> > /srv/ftproot(/.*)? public_content_rw_t
> > setsebool -P allow_ftpd_anon_write on (allow ftpd to write to /srv/ftproot
> > setsebool -P allow_httpd_anon_write on (allow httpd to write to /srv/ftproo=
> > t) (for php/httpd unified)
> > setsebool -P allow_httpd_sys_script_anon_write on (allow httpd system cgi s=
> > cripts to write to /srv/ftproot (other cgi)
> >
> > # logs
> > /srv/www/logs(/.*)? httpd_sys_content_ra_t=20
> >
> > # static content
> > /srv/www/html(/.*)? httpd_sys_content_t
> >
> > # cgi
> > /srv/www/cgi-bin(/.*)? httpd_sys_script_exec_t
> >
> > The above is just an example. It may or may not be what you would want.
> >
> > >=20
> > > --
> > > fedora-selinux-list mailing list
> > > fedora-selinux-list@redhat.com
> > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> >
> > --Fig2xvG2VGoz8o/s
> > Content-Type: application/pgp-signature
> > Content-Disposition: inline
> >
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.4.10 (GNU/Linux)
> >
> > iEYEARECAAYFAksY2X4ACgkQMlxVo39jgT84SgCffFYU9S9JDB 05qOuelRkKZgxR
> > PO8AoKssSIRvpVYEuZXCZOYZUXd9SZ0r
> > =nF/1
> > -----END PGP SIGNATURE-----
> >
> > --Fig2xvG2VGoz8o/s--
> >
> >
> > --===============0256136332==
> > Content-Type: text/plain; charset="us-ascii"
> > MIME-Version: 1.0
> > Content-Transfer-Encoding: 7bit
> > Content-Disposition: inline
> >
> > --
> > fedora-selinux-list mailing list
> > fedora-selinux-list@redhat.com
> > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> > --===============0256136332==--
> >
>
>
> --
>
> Regards,
>
> David Highley
> Highley Recommended, Inc. Phone: (206) 669-0081
> 2927 SW 339th Street WEB: http://www.highley-recommended.com
> Federal Way, WA 98023-7732
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 12-04-2009, 02:26 PM
David Highley
 
Default Virtual http hosting and selinux

"Dominick Grift wrote:"
>
>
> --===============1080715742==
> Content-Type: multipart/signed; micalg=pgp-sha1;
> protocol="application/pgp-signature"; boundary="llIrKcgUOe3dCx0c"
> Content-Disposition: inline
>
>
> --llIrKcgUOe3dCx0c
> Content-Type: text/plain; charset=us-ascii
> Content-Disposition: inline
> Content-Transfer-Encoding: quoted-printable
>
> On Fri, Dec 04, 2009 at 06:45:39AM -0800, David Highley wrote:
> > "Dominick Grift wrote:"
> > >=20
> > >=20
> > > --=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D02561 36332=3D=3D
> > > Content-Type: multipart/signed; micalg=3Dpgp-sha1;
> > > protocol=3D"application/pgp-signature"; boundary=3D"Fig2xvG2VGoz8o/s"
> > > Content-Disposition: inline
> > >=20
> > >=20
> > > --Fig2xvG2VGoz8o/s
> > > Content-Type: text/plain; charset=3Dus-ascii
> > > Content-Disposition: inline
> > > Content-Transfer-Encoding: quoted-printable
> > >=20
> > > On Thu, Dec 03, 2009 at 08:35:56PM -0800, David Highley wrote:
> > > > A common virtual web hosting set up would be a web root directory
> > > > location with the following sub directories:
> > > > ftp
> > > > logs
> > > > pages
> > > > pages/cgi-bin
> > > >=3D20
> > > > Under ftp you would have all that is needed for a chroot ftp sandbox.
> > > > Since each virtual host would be a different user and or company how
> > > > does one change sebool httpd_unified to off and get it all to work wi=
> th
> > > > selinux?
> > >=20
> > > Well PHP needs httpd_unified but if you use CGI like perl or c or bash =
> or w=3D
> > > hatever then basically you would set httpd_enable_cgi and httpd_builtin=
> _scr=3D
> > > ipting booleans. Then label the locations with a proper type.
> >=20
> > I'm not sure the statement that PHP needs httpd_unified on is correct in
> > Fedora 12. I just finished doing some testing of Mythtv with this
> > setting turned off. I tested all TV recording, weather, and streaming
> > video available through the web interace and it all seems to be working
> > now. Granted there is a lot more to full backend Mythtv setup but it was
> > looking pretty good. Dan has put in two policy updates which should be
> > out pretty soon.
> >=20
> > I'm not done, but I also ran a quick test of squirrelmail with dovecot
> > for off site email access and that appears to be working. Squirrelmail
> > is all PHP.
>
> Do your php scripts run with the httpd_sys_script_t or with the httpd_t typ=
> e?

I have not had to change any labels for the PHP files. When I look at
squirrelmail, ls -Z /usr/share/squirrelmail/class. I see:
system_ubject_r:usr_t:s0

For all files. I do have httpd_builtin_scripting turned on and
httpd_can_network_connect is on.

For Mythtv I need to change /usr/share/mythtvweb/mythweb.pl to
httpd_sys_script_exec_t and also /usr/share/mythtv/mythweather/scripts.
Last it needed /usr/mythweb/data to be httpd_sys_content_t and the
recording library storage area if you want to be able to stream video or
play with other video players.

> >=20
> > >=20
> > > for example:
> > >=20
> > > # ftp:
> > > /srv/ftproot(/.*)? public_content_rw_t
> > > setsebool -P allow_ftpd_anon_write on (allow ftpd to write to /srv/ftpr=
> oot
> > > setsebool -P allow_httpd_anon_write on (allow httpd to write to /srv/ft=
> proo=3D
> > > t) (for php/httpd unified)
> > > setsebool -P allow_httpd_sys_script_anon_write on (allow httpd system c=
> gi s=3D
> > > cripts to write to /srv/ftproot (other cgi)
> > >=20
> > > # logs
> > > /srv/www/logs(/.*)? httpd_sys_content_ra_t=3D20
> > >=20
> > > # static content
> > > /srv/www/html(/.*)? httpd_sys_content_t
> > >=20
> > > # cgi
> > > /srv/www/cgi-bin(/.*)? httpd_sys_script_exec_t
> > >=20
> > > The above is just an example. It may or may not be what you would want.
> > >=20
> > > >=3D20
> > > > --
> > > > fedora-selinux-list mailing list
> > > > fedora-selinux-list@redhat.com
> > > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> > >=20
> > > --Fig2xvG2VGoz8o/s
> > > Content-Type: application/pgp-signature
> > > Content-Disposition: inline
> > >=20
> > > -----BEGIN PGP SIGNATURE-----
> > > Version: GnuPG v1.4.10 (GNU/Linux)
> > >=20
> > > iEYEARECAAYFAksY2X4ACgkQMlxVo39jgT84SgCffFYU9S9JDB 05qOuelRkKZgxR
> > > PO8AoKssSIRvpVYEuZXCZOYZUXd9SZ0r
> > > =3DnF/1
> > > -----END PGP SIGNATURE-----
> > >=20
> > > --Fig2xvG2VGoz8o/s--
> > >=20
> > >=20
> > > --=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D02561 36332=3D=3D
> > > Content-Type: text/plain; charset=3D"us-ascii"
> > > MIME-Version: 1.0
> > > Content-Transfer-Encoding: 7bit
> > > Content-Disposition: inline
> > >=20
> > > --
> > > fedora-selinux-list mailing list
> > > fedora-selinux-list@redhat.com
> > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> > > --=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D02561 36332=3D=3D--
> > >=20
> >=20
> > --
> > fedora-selinux-list mailing list
> > fedora-selinux-list@redhat.com
> > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
> --llIrKcgUOe3dCx0c
> Content-Type: application/pgp-signature
> Content-Disposition: inline
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (GNU/Linux)
>
> iEYEARECAAYFAksZI14ACgkQMlxVo39jgT9eaACgyrpSQQw1T+ mq+YBpylkmK46G
> sTcAoJk0a7npKP8NHG5/ZkKzhXUp40WV
> =5+Ix
> -----END PGP SIGNATURE-----
>
> --llIrKcgUOe3dCx0c--
>
>
> --===============1080715742==
> Content-Type: text/plain; charset="us-ascii"
> MIME-Version: 1.0
> Content-Transfer-Encoding: 7bit
> Content-Disposition: inline
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> --===============1080715742==--
>

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 

Thread Tools




All times are GMT. The time now is 07:32 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org