Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Fedora SELinux Support (http://www.linux-archive.org/fedora-selinux-support/)
-   -   trying to set a context (http://www.linux-archive.org/fedora-selinux-support/694747-trying-set-context.html)

Karl MacMillan 08-16-2012 08:53 PM
trying to set a context
 
On Thu, Aug 16, 2012 at 3:34 PM, <m.roth@5-cent.us> wrote:
> Y'know, I know I'm asking for help, but I am so bloody frustrated that I
> want to give an example of why most admins I know *loathe* selinux.
>

Sorry that you're frustrated.

> chcon doesn't last through reboots. Why? Or why have it?

Setting contexts with chcon does last across reboots. It doesn't last
through a full relabel of the filesystem, but that is something that
shouldn't be necessary during normal operation. It is only used
occasionally to recover when a system is in a strange state. Keeping
the file contexts database up-to-date with semanage makes this a
relatively safe thing to do.

> semanage doesn't offer the most obvious flag: -R, recurse.
>

The file contexts database - which is what semanage is changing in
this situation - is basically recursive already. The tools that use
this - like restorecon - do have the recursive flag.

Karl

> I've just restored a subversion repository from backup, after a drive
> failed. Now I'm trying to set the context. I'm trying to follow Dan's
> instructions in his blog
> <http://danwalsh.livejournal.com/28027.html?thread=197755>
>
> semanage fcontext -a -t httpd_sys_content_t 'mipav-svn/(*)'
> /etc/selinux/targeted/contexts/files/file_contexts.local: line 5 has
> invalid regex mipav-svn/(*): Invalid preceding regular expression
>
> Huh? Ditto without the parens. Nothing's changed. I went back and used
> chcon -R, which operates the way I expect a *Nix command to, so that
> selinux would shut up. But I want this permanent, so what's the magical
> incantation? Do I have the wrong keyboard? Or light a candle?
>
> mark
>
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Dominick Grift 08-17-2012 11:17 AM
trying to set a context
 
On Thu, 2012-08-16 at 15:34 -0400, m.roth@5-cent.us wrote:

> chcon doesn't last through reboots. Why? Or why have it?
> semanage doesn't offer the most obvious flag: -R, recurse.

SELinux is a Mandatory Access Control Architecture. Policy and file
context specification are managed centralized generally.

semanage fcontext is used to specify file contexts centralized (system
wide)

In general when possible one should always use semanage fcontext with
restorecon.

Then why need chcon? well one can design policy configurations to give
unprivileged users some discretion over labeling without them having
access to the centralized file context specifications.

Some locations are ignored when it comes to maintaining file contexts,
like for example /tmp.

users have some discretion over labeling there. All they need is have
permission to relabelfrom the current type and relabelto permission to
the target type.

One could for example use chcon to label a file one created in /tmp to
relabel from user_tmp_t to user_home_t. I can't think of any reason off
the top of my head why one would do that but since the user has full
access to both types and because selinux doesnt have centalized file
context specifications for content in /tmp, it is possbile.

That is done because of some properties of the optional mls and mcs
security models (but that is beyond the scope of this email)

One more practical example of the use of chcon is for example providing
httpd userdirs.

httpd is or can be configured to host content in ~/public_html. What
type of httpd content is in there depends on the user. The user has the
discretion to label httpd user content according to their requirements.

As you may know there are various httpd content types. ( each type has
its own properties)

httpd_user_content_t (httpd user content type that is only readable by
webserver, useful for static webpages and other read-only content)
httpd_user_content_ra_t ( httpd user content type that is readable and
appendable by webserver, useful for webapp log files.
httpd_user_content_rw_t ( httpd user content type that is readable and
writable by webserver, useful for upload directories etc)
httpd_user_htaccess_t ( httpd user content type for content that is
readable by webserver useful for htpasswd and htaccess files
httpd_user_script_exec_t ( httpd user content type for context that is
execauble by webserver ( useful for cgi, webapp executable files etc)

The only thing that is managed centralized is the file context for
~/public_html ( httpd_user_content_t) and the userdir configuration in
httpd.conf ( where its specified that userdirs are in ~/public_html )

The labeling below ~/public_html is to the discretion of the user to
some extend. If you have a webapp that needs to write to a upload
directory then you, as an unprivilged user, can chcon a dir for example:
~/public_html/mywebapp/uploads with type httpd_user_content_rw_t.

SElinux will not try to reset that unless you use restorecon with the -F
( force ) option.

There is some mechanism in place that tells selinux to ignore some types
when it comes to restoring file contexts ( its called customizable
types) those customizable types are specified
in /etc/selinux/targeted/contexts/files/customizable_types.

chcon is useful but generally only for unprivileged users.
if you are allowed to use semanage then use that instead.

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

08-17-2012 03:52 PM
trying to set a context
 
Well, I'm slowly beating this into submission. However, an error I'm
seeing now is that selinux doesn't like svn via apache looking at the
repositories. Here's my situation:
/<mybase>/<export dir>/
repoa
repob
lost+found
anotherdir

I don't think that /<mybase>/<export dir>, which is owned root:root,
should have a context of httpd_sys_content_t, but that seems to be what
sealert is telling me.

Is there a clean way to resolve this?

mark

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Moray Henderson 08-17-2012 04:02 PM
trying to set a context
 
> -----Original Message-----
> From: selinux-bounces@lists.fedoraproject.org [mailto:selinux-
> bounces@lists.fedoraproject.org] On Behalf Of m.roth@5-cent.us
> Sent: 17 August 2012 16:52
>
> Well, I'm slowly beating this into submission. However, an error I'm
> seeing now is that selinux doesn't like svn via apache looking at the
> repositories. Here's my situation:
> /<mybase>/<export dir>/
> repoa
> repob
> lost+found
> anotherdir
>
> I don't think that /<mybase>/<export dir>, which is owned root:root,
> should have a context of httpd_sys_content_t, but that seems to be what
> sealert is telling me.
>
> Is there a clean way to resolve this?

See if there's anything useful for you in "man httpd_selinux" (or is it selinux_httpd - I can never remember which way round those go). There are a number of options for giving access to different types.


Moray.
“To err is human; to purr, feline.”





--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Jorge Fbregas 08-18-2012 12:26 PM
trying to set a context
 
On 08/17/2012 07:17 AM, Dominick Grift wrote:
> <snip>

Dominick: Thanks for that magnificent explanation.

--
Jorge
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Daniel J Walsh 08-20-2012 09:51 AM
trying to set a context
 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08/17/2012 11:52 AM, m.roth@5-cent.us wrote:
> Well, I'm slowly beating this into submission. However, an error I'm seeing
> now is that selinux doesn't like svn via apache looking at the
> repositories. Here's my situation: /<mybase>/<export dir>/ repoa repob
> lost+found anotherdir
>
> I don't think that /<mybase>/<export dir>, which is owned root:root, should
> have a context of httpd_sys_content_t, but that seems to be what sealert is
> telling me.
>
> Is there a clean way to resolve this?
>
> mark
>
> -- selinux mailing list selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
Does /<mybase> contain apache content? Or does httpd just need to search
through it?


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAlAyCKQACgkQrlYvE4MpobP1UwCgvknTCb2em+ wTod/kfhOVYHQW
or0An16i9whbxU+y++Au11IY45zX6K5i
=vaVX
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Paul Howarth 08-21-2012 01:38 PM
trying to set a context
 
On 08/17/2012 04:52 PM, m.roth@5-cent.us wrote:

Well, I'm slowly beating this into submission. However, an error I'm
seeing now is that selinux doesn't like svn via apache looking at the
repositories. Here's my situation:
/<mybase>/<export dir>/
repoa
repob
lost+found
anotherdir

I don't think that /<mybase>/<export dir>, which is owned root:root,
should have a context of httpd_sys_content_t, but that seems to be what
sealert is telling me.

Is there a clean way to resolve this?


For my own svn server, I use:

/srv/subversion(/.*)? httpd_sys_content_rw_t

/srv/subversion/repos/[^/]*/hooks(/.*)? httpd_sys_script_exec_t

Paul.

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux


All times are GMT. The time now is 01:23 AM.

VBulletin, Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.