FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 03-21-2010, 03:21 PM
Toby Ovod-Everett
 
Default Looking for SELinux advice regarding samba, apache

Two issues in this e-mail. The first is a general request for advice on how
to structure things for a home-grown photo system I developed - I had it
working, now the SELinux config has some issues, etc. The second is that
something changed in libselinux or selinux-policy since January 17th and it's
causing Samba some issues.

So, here's a brief overview of the photo archive system I developed, the
issues, and how I have them currently resolved.

My server machine runs Fedora 12 with a pretty vanilla configuration and I run
yum update regularly. I have two partitions - /, which contains the OS
install, user directories, etc., and /data, which I use for some large data
sets that I don't want to have to copy when rebuilding the machine during OS
upgrades. In particular, the major large data set is /data/photos.

There are three major directory trees that impact the photo system:

/data/photos - contains the actual digital images in /data/photos/images and
the information about them in /data/photos/info. Context from / is:

dr-xr-xr-x. root root system_ubject_r:root_t:s0 .
drwxr-xr-x. root root system_ubject_rublic_content_rw_t:s0 data
drwxrwsr-x. root photos system_ubject_rublic_content_rw_t:s0 photos

/data/photos needs to be r/w for my user account (which is a member of photos)
and readable for apache. I generally access /data/photos through Samba from
my user machine which runs (gasp) Windows 7.


/var/www/cgi-bin/photos - contains the Perl scripts that implement the web
frontend for viewing the photos (loading photos is all done from the Command
Line). I have httpd_enable_cgi=>on in order to support this. Context is
unchanged from default configs. Desire r/w access through Samba from my user
machine for editing the scripts using Notepad++.


/var/www/html/thumbnails - contains directories of thumbnails for the photos.
These are persistently cached in this tree and automatically generated or
updated as required by the Perl scripts above when required. This data
doesn't have to persist across rebuilds. There are different subdirectories
for the different supported thumbnail sizes and each subdir and needs to be
r/w for apache. Context from / is:
dr-xr-xr-x. root root system_ubject_r:root_t:s0 .
drwxr-xr-x. root root system_ubject_r:var_t:s0 var
drwxr-xr-x. root root system_ubject_r:httpd_sys_content_t:s0 www
drwxr-xr-x. root root system_ubject_r:httpd_sys_content_t:s0 html
drwxrwsr-x. root root unconfined_ubject_r:httpd_sys_content_t:s0 thumbnails
drwxrwsr-x. root apache unconfined_ubject_rublic_content_rw_t:s0 180x180


One of the main issues is that I need Samba to have r/w to a bunch of the
trees that apache needs access to. Current Samba SELinux config is
samba_enable_home_dirs=>on, allow_smbd_anon_write=>on,
samba_export_all_rw=>on. I'd like to be able to pull the latter eventually,
but then I need to be able to figure out how to give Samba r/w access to the
cgi-bin directory.


Now on to the "what broke" question. Somewhere in the last two months (it's
been a while since I've added photos), I lost the ability to use Samba to
access /data/photos. Generally I access it through a symlink in my homedir:
lrwxrwxrwx. 1 toby toby 12 2008-11-28 15:05 photos -> /data/photos

This has stopped working. Things I tried:
* Verifying symlinks. I have Mail -> mail in my homedir and that still works.
* Verifying SELinux settings conform to above model.
* Creating a separate share for /data/photos. This worked.

I Obviously have a workaround now, but as a solution it's annoying, because it
requires me to create separate shares for all of the things I want to access
from my Windows machine (/data/photos, /var/www/cgi-bin/photos, and
/var/www/html/public_html/toby) and then map to them all separately on my
Windows machine on separate drive letters, instead of having a single share
that accesses everything.

I'm beginning to suspect the problem is Samba, not SELinux, because my
attempts at using semodule -DB and ausearch (both avc and user_avc) don't turn
up any events that correlate with attempts to access those directories through
the symlinks. At this point, I'm beginning to suspect a fix in Samba 3.4.6 or
3.4.7 related to the "Samba Remote Directory Traversal" exploit that was
announced in early February, but I'm hitting my patience limit (my 3 year old
is ready for breakfast), so I'm going to stop writing and go with my
workaround for now. But if anyone has advice, please offer!

--Toby Ovod-Everett
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 03-21-2010, 04:17 PM
Dominick Grift
 
Default Looking for SELinux advice regarding samba, apache

On Sun, Mar 21, 2010 at 08:21:02AM -0800, Toby Ovod-Everett wrote:

Here are some things to take into consideration:

1. For the perspective of SELinux we do not have to do anything to give users access since in a vanilla Fedora 12
configuration users are unconfined (exempted for SELinux).

2. We can give Samba access to read and write any content by setting boolean samba_export_all_rw true.

This means that we only have to take care of http.

Using the samba_export_all_rw boolean is essential i believe to meet your exotic requirements.

> There are three major directory trees that impact the photo system:
>
> /data/photos - contains the actual digital images in /data/photos/images and
> the information about them in /data/photos/info. Context from / is:
>
> dr-xr-xr-x. root root system_ubject_r:root_t:s0 .
> drwxr-xr-x. root root system_ubject_rublic_content_rw_t:s0 data
> drwxrwsr-x. root photos system_ubject_rublic_content_rw_t:s0 photos
>
> /data/photos needs to be r/w for my user account (which is a member of photos)

As said above by default users are unconfined wrt SELinux in a stock Fedora 12 config thus no need to do anything here.

> and readable for apache. I generally access /data/photos through Samba from
> my user machine which runs (gasp) Windows 7.

You should probably label data and everything below data type httpd_sys_content_t. httpd is allowed to read that type.

>
>
> /var/www/cgi-bin/photos - contains the Perl scripts that implement the web
> frontend for viewing the photos (loading photos is all done from the Command
> Line). I have httpd_enable_cgi=>on in order to support this. Context is
> unchanged from default configs. Desire r/w access through Samba from my user
> machine for editing the scripts using Notepad++.

Leave this as is. Apache can run scripts labeled httpd_sys_script_exec_t in the httpd_sys_script_t domain. Samba can read and write any content if samba_export_all_rw is set.

The use of the samba_export_all_rw boolean is discouraged since obviously samba will be able to write almost any file.
However you do not have much choice unless you modify policy in a major way.
I would probably use openssh to edit these scripts.

>
> /var/www/html/thumbnails - contains directories of thumbnails for the photos.
> These are persistently cached in this tree and automatically generated or
> updated as required by the Perl scripts above when required. This data
> doesn't have to persist across rebuilds. There are different subdirectories
> for the different supported thumbnail sizes and each subdir and needs to be
> r/w for apache. Context from / is:
> dr-xr-xr-x. root root system_ubject_r:root_t:s0 .
> drwxr-xr-x. root root system_ubject_r:var_t:s0 var
> drwxr-xr-x. root root system_ubject_r:httpd_sys_content_t:s0 www
> drwxr-xr-x. root root system_ubject_r:httpd_sys_content_t:s0 html
> drwxrwsr-x. root root unconfined_ubject_r:httpd_sys_content_t:s0 thumbnails
> drwxrwsr-x. root apache unconfined_ubject_rublic_content_rw_t:s0 180x180

If your perl webscript needs to create files in exisiting sub directories in tumbnails/ Then i would label these sub directories type httpd_sys_content_rw_t and set httpd_anon_write to true.

Samba will be able to read and write to these files and types since the samba_export_all_rw allows samba to read and write almost any type.

>
> One of the main issues is that I need Samba to have r/w to a bunch of the
> trees that apache needs access to. Current Samba SELinux config is
> samba_enable_home_dirs=>on, allow_smbd_anon_write=>on,
> samba_export_all_rw=>on. I'd like to be able to pull the latter eventually,
> but then I need to be able to figure out how to give Samba r/w access to the
> cgi-bin directory.

If you set samba_export_all_rw to true then you do not need the public_content_(rw)_types. Since samba will be albe to read and write almost any file and type. In that case i believe you can set allow_samba_anon_write to false.

>
> Now on to the "what broke" question. Somewhere in the last two months (it'si
> been a while since I've added photos), I lost the ability to use Samba to
> access /data/photos. Generally I access it through a symlink in my homedir:
> lrwxrwxrwx. 1 toby toby 12 2008-11-28 15:05 photos -> /data/photos
>
> This has stopped working. Things I tried:
> * Verifying symlinks. I have Mail -> mail in my homedir and that still works.
> * Verifying SELinux settings conform to above model.
> * Creating a separate share for /data/photos. This worked.

If this is at all SELinux related ( see if it works in permissive mode to rule in or rule out SELinux) then it would
help if you enclose an AVC denial. Some denials are hidden use semodule -DB to expose hidden denials and semodule -B to go back to the original state.

> I Obviously have a workaround now, but as a solution it's annoying, because it
> requires me to create separate shares for all of the things I want to access
> from my Windows machine (/data/photos, /var/www/cgi-bin/photos, and
> /var/www/html/public_html/toby) and then map to them all separately on my
> Windows machine on separate drive letters, instead of having a single share
> that accesses everything.
>
> I'm beginning to suspect the problem is Samba, not SELinux, because my
> attempts at using semodule -DB and ausearch (both avc and user_avc) don't turn
> up any events that correlate with attempts to access those directories through
> the symlinks. At this point, I'm beginning to suspect a fix in Samba 3.4.6 or
> 3.4.7 related to the "Samba Remote Directory Traversal" exploit that was
> announced in early February, but I'm hitting my patience limit (my 3 year old
> is ready for breakfast), so I'm going to stop writing and go with my
> workaround for now. But if anyone has advice, please offer!

I would probably attempt to implement a solution that does not require samba_export_all_rw to be set true since that
is very coarse.

However with your requirements this is the only simple way.

I would probably use openssh where ever possible. that may be just enough to be able to set samba_export_all_rw to false.

Another solution would be to perform serious surgery to fedora policy. You would create special types and a special web app domain and give both apache and samba the permissions required.

>
> --Toby Ovod-Everett
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 03-22-2010, 08:18 AM
Paul Howarth
 
Default Looking for SELinux advice regarding samba, apache

On 21/03/10 16:21, Toby Ovod-Everett wrote:
> Now on to the "what broke" question. Somewhere in the last two months (it's
> been a while since I've added photos), I lost the ability to use Samba to
> access /data/photos. Generally I access it through a symlink in my homedir:
> lrwxrwxrwx. 1 toby toby 12 2008-11-28 15:05 photos -> /data/photos
>
> This has stopped working. Things I tried:
> * Verifying symlinks. I have Mail -> mail in my homedir and that still works.
> * Verifying SELinux settings conform to above model.
> * Creating a separate share for /data/photos. This worked.
>
> I Obviously have a workaround now, but as a solution it's annoying, because it
> requires me to create separate shares for all of the things I want to access
> from my Windows machine (/data/photos, /var/www/cgi-bin/photos, and
> /var/www/html/public_html/toby) and then map to them all separately on my
> Windows machine on separate drive letters, instead of having a single share
> that accesses everything.

In your samba config, do you have any settings for:

unix extentions
follow symlinks
wide links

I believe you need the following to be able to follow symlinks outside
of the directory tree that is shared using samba:

unix extensions = no
follow symlinks = yes
wide links = yes

Paul.
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 03-22-2010, 01:03 PM
Daniel J Walsh
 
Default Looking for SELinux advice regarding samba, apache

On 03/21/2010 12:21 PM, Toby Ovod-Everett wrote:
> Two issues in this e-mail. The first is a general request for advice on how
> to structure things for a home-grown photo system I developed - I had it
> working, now the SELinux config has some issues, etc. The second is that
> something changed in libselinux or selinux-policy since January 17th and it's
> causing Samba some issues.
>
> So, here's a brief overview of the photo archive system I developed, the
> issues, and how I have them currently resolved.
>
> My server machine runs Fedora 12 with a pretty vanilla configuration and I run
> yum update regularly. I have two partitions - /, which contains the OS
> install, user directories, etc., and /data, which I use for some large data
> sets that I don't want to have to copy when rebuilding the machine during OS
> upgrades. In particular, the major large data set is /data/photos.
>
> There are three major directory trees that impact the photo system:
>
> /data/photos - contains the actual digital images in /data/photos/images and
> the information about them in /data/photos/info. Context from / is:
>
> dr-xr-xr-x. root root system_ubject_r:root_t:s0 .
> drwxr-xr-x. root root system_ubject_rublic_content_rw_t:s0 data
> drwxrwsr-x. root photos system_ubject_rublic_content_rw_t:s0 photos
>
> /data/photos needs to be r/w for my user account (which is a member of photos)
> and readable for apache. I generally access /data/photos through Samba from
> my user machine which runs (gasp) Windows 7.
>
>
> /var/www/cgi-bin/photos - contains the Perl scripts that implement the web
> frontend for viewing the photos (loading photos is all done from the Command
> Line). I have httpd_enable_cgi=>on in order to support this. Context is
> unchanged from default configs. Desire r/w access through Samba from my user
> machine for editing the scripts using Notepad++.
>
>
> /var/www/html/thumbnails - contains directories of thumbnails for the photos.
> These are persistently cached in this tree and automatically generated or
> updated as required by the Perl scripts above when required. This data
> doesn't have to persist across rebuilds. There are different subdirectories
> for the different supported thumbnail sizes and each subdir and needs to be
> r/w for apache. Context from / is:
> dr-xr-xr-x. root root system_ubject_r:root_t:s0 .
> drwxr-xr-x. root root system_ubject_r:var_t:s0 var
> drwxr-xr-x. root root system_ubject_r:httpd_sys_content_t:s0 www
> drwxr-xr-x. root root system_ubject_r:httpd_sys_content_t:s0 html
> drwxrwsr-x. root root unconfined_ubject_r:httpd_sys_content_t:s0 thumbnails
> drwxrwsr-x. root apache unconfined_ubject_rublic_content_rw_t:s0 180x180
>
>
> One of the main issues is that I need Samba to have r/w to a bunch of the
> trees that apache needs access to. Current Samba SELinux config is
> samba_enable_home_dirs=>on, allow_smbd_anon_write=>on,
> samba_export_all_rw=>on. I'd like to be able to pull the latter eventually,
> but then I need to be able to figure out how to give Samba r/w access to the
> cgi-bin directory.
>
>
> Now on to the "what broke" question. Somewhere in the last two months (it's
> been a while since I've added photos), I lost the ability to use Samba to
> access /data/photos. Generally I access it through a symlink in my homedir:
> lrwxrwxrwx. 1 toby toby 12 2008-11-28 15:05 photos -> /data/photos
>
> This has stopped working. Things I tried:
> * Verifying symlinks. I have Mail -> mail in my homedir and that still works.
> * Verifying SELinux settings conform to above model.
> * Creating a separate share for /data/photos. This worked.
>
> I Obviously have a workaround now, but as a solution it's annoying, because it
> requires me to create separate shares for all of the things I want to access
> from my Windows machine (/data/photos, /var/www/cgi-bin/photos, and
> /var/www/html/public_html/toby) and then map to them all separately on my
> Windows machine on separate drive letters, instead of having a single share
> that accesses everything.
>
> I'm beginning to suspect the problem is Samba, not SELinux, because my
> attempts at using semodule -DB and ausearch (both avc and user_avc) don't turn
> up any events that correlate with attempts to access those directories through
> the symlinks. At this point, I'm beginning to suspect a fix in Samba 3.4.6 or
> 3.4.7 related to the "Samba Remote Directory Traversal" exploit that was
> announced in early February, but I'm hitting my patience limit (my 3 year old
> is ready for breakfast), so I'm going to stop writing and go with my
> workaround for now. But if anyone has advice, please offer!
>
> --Toby Ovod-Everett
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
>
If you put smbd_t into permissive mode, does samba work?

semanage permissive -a smbd_t


--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 

Thread Tools




All times are GMT. The time now is 03:23 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org