In general, I really like the idea of SELinux. It conceptually allows you to specify users, roles, and types for files and then checks against those conditions when something tries to access the files. It will only allow users that match the user condition, roles that match the role condition, and types that match the type condition to actually proceed and work with the file.
So, for example, if you a role of “web object” which the webserver account fills, and it tries to write data into some directory that is not fit for that role, say /bin/, the operation will fail and the would-be hacker can’t put their trojaned ls program or whatever in there. That is a good thing.
The problem is that the SELinux system is really kind of complicated. If you don’t know that it is there, you will just have things failing mysteriously, especially if you add directories in places that aren’t set up with the system already. Running a webserver on one of my linux machines, I ran into this problem. It is particularly an issue when you are trying to use executable scripts on your web server.
Here is an instance of a problem that I had: I copied some scripts over from a production machine to a dev machine so I could build some more functionality based on the existing scripts. They went into /var/www/cgi-bin/, a normal place for scripts on my system. To find out the attributes they should have:
$ ls -ldZ /var/www/cgi-bindrwxr-xr-x root root system_u:object_r:httpd_sys_script_exec_t:s0 /var/www/cgi-bin$ ls -ldZ /var/www/cgi-bin/my.cgi-rwxr-xr-x root root /var/www/cgi-bin/my.cgi
So that isn’t good. When I try to access the file, I get a 404, which isn’t really true: actually the file is there, but SELinux is preventing it from being used. So, what should I do? I need to make the files have the correct SELinux settings. First, I try setting the type of the file:
sudo chcon -t httpd_sys_script_exec_t /var/www/cgi-bin/*
chcon: can’t apply partial context to unlabeled file /var/www/cgi-bin/
Oh, that’s no good. What’s a partial context? Looks like you need to specify all the attributes of the file. Usually the files already have some default attributes, so it is ok, but for some reason these guys have nothing. I don’t know why. But if we apply all of the attributes that we need:
sudo chcon system_u:object_r:httpd_sys_script_exec_t /var/www/cgi-bin/*
And that fixed the problem. Also, if you need to know where SELinux error messages are, they are sometimes in /var/log/messages, sometimes in dmesg output, and sometimes in /var/log/audit/audit.log or possible /var/log/avc.log, depending on how your system is set up.
Leave a Reply