FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 04-19-2010, 09:59 PM
Another Sillyname
 
Default SELinux Apache and Symbolic Links...GGGrrrr

Hi All

OK I've been playing with this for nearly two days now and cannot seem
to get it working at all.

In a nutshell.

Standard Apache Server setup...

in /var/www/html I have a subdirectory called reststop and within that
is a symbolic link to a directory at
/mnt/anotherdrive/newpath/nearlythere/reststop

I have set the permissions chcon -R 775 /var/www/html/reststop
I have set the permissions chcon -R 775
/mnt/anotherdrive/newpath/nearlythere/reststop

I have set the se permissions chcon -R -h -t httpd_sys_content_t
/var/www/html/reststop
I have set the se permissions chcon -R -h -t httpd_sys_content_t
/mnt/anotherdrive/newpath/nearlythere/reststop

I have checked the settings using ls -Z and they are correct

I have set the http.conf to allow followsymlinks

If I set selinux to permissive I DO get an error message:-

------------------------------------------------------------

Summary:

SELinux is preventing access to files with the label, file_t.

Detailed Description:

[SELinux is in permissive mode. This access was not denied.]

SELinux permission checks on files labeled file_t are being denied. file_t is
the context the SELinux kernel gives to files that do not have a label. This
indicates a serious labeling problem. No files on an SELinux box should ever be
labeled file_t. If you have just added a disk drive to the system you can
relabel it using the restorecon command. For example if you saved the home
directory from a previous installation that did not use SELinux, 'restorecon -R
-v /home' will fix the labels. Otherwise you should relabel the entire file
system.

Allowing Access:

You can execute the following command as root to relabel your computer system:
"touch /.autorelabel; reboot"

Additional Information:

Source Context unconfined_u:system_r:httpd_t:s0
Target Context unconfined_ubject_r:file_t:s0
Target Objects reststop [ dir ]
Source httpd
Source Path /usr/sbin/httpd
Port <Unknown>
Host secretsquirrel.com
Source RPM Packages httpd-2.2.14-1.fc12
Target RPM Packages
Policy RPM selinux-policy-3.6.32-108.fc12
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Plugin Name file
Host Name secretsquirrel.com
Platform Linux secretsquirrel.com
2.6.32.11-99.fc12.x86_64 #1 SMP Mon Apr 5 19:59:38
UTC 2010 x86_64 x86_64
Alert Count 1
First Seen Mon 19 Apr 2010 03:45:40 PM BST
Last Seen Mon 19 Apr 2010 03:45:40 PM BST
Local ID yadayadayada
Line Numbers

Raw Audit Messages

node=secretsquirrel.com type=AVC msg=audit(1288463622.694:23321): avc:
denied { read } for pid=3605 comm="httpd" name="reststop" dev=dm-0
ino=340012822 scontext=unconfined_u:system_r:httpd_t:s0
tcontext=unconfined_ubject_r:file_t:s0 tclass=dir

node=secretsquirrel.com type=SYSCALL msg=audit(1288463622.694:23321):
arch=c000003e syscall=2 success=yes exit=16 a0=7f2f691d91c0 a1=90800
a2=7f2f691d5198 a3=7f2f691da150 items=0 ppid=3600 pid=3605 auid=500
uid=48 gid=489 euid=48 suid=48 fsuid=48 egid=489 sgid=489 fsgid=489
tty=(none) ses=2 comm="httpd" exe="/usr/sbin/httpd"
subj=unconfined_u:system_r:httpd_t:s0 key=(null)

----------------------------------------------------------------

Why is the error message telling me files are labelled file_t when
they are labelled httpd_sys_content_t? To confirm that I ls -RZ | grep
file_t in the two directories I get no files returned.

What am I missing here guys? and before anyone suggests it I don't
just want to turn selinux off, I want to actually protect my system
properly though.

Thanks in advance
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 

Thread Tools




All times are GMT. The time now is 09:57 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org