November 30, 2007

SELinux Problems, solutions

In general, I really like the idea of SELinux.  It conceptually allows you to specify users, roles, and types for files and then checks against those conditions when something tries to access the files.  It will only allow users that match the user condition, roles that match the role condition, and types that match the type condition to actually proceed and work with the file.

So, for example, if you a role of "web object" which the webserver account fills, and it tries to write data into some directory that is not fit for that role, say /bin/, the operation will fail and the would-be hacker can't put their trojaned ls program or whatever in there.  That is a good thing. 

The problem is that the SELinux system is really kind of complicated.  If you don't know that it is there, you will just have things failing mysteriously, especially if you add directories in places that aren't set up with the system already.  Running a webserver on one of my linux machines, I ran into this problem.  It is particularly an issue when you are trying to use executable scripts on your web server.

Here is an instance of a problem that I had:  I copied some scripts over from a production machine to a dev machine so I could build some more functionality based on the existing scripts.  They went into /var/www/cgi-bin/, a normal place for scripts on my system.  To find out the attributes they should have:
$ ls -ldZ /var/www/cgi-bin
drwxr-xr-x  root root system_u:object_r:httpd_sys_script_exec_t:s0 /var/www/cgi-bin
$ ls -ldZ /var/www/cgi-bin/my.cgi-rwxr-xr-x  root root                                  /var/www/cgi-bin/my.cgi
So that isn't good.  When I try to access the file, I get a 404, which isn't really true: actually the file is there, but SELinux is preventing it from being used.  So, what should I do?  I need to make the files have the correct SELinux settings.  First, I try setting the type of the file:
sudo chcon -t httpd_sys_script_exec_t /var/www/cgi-bin/*
chcon: can't apply partial context to unlabeled file /var/www/cgi-bin/
Oh, that's no good.  What's a partial context?  Looks like you need to specify all the attributes of the file.  Usually the files already have some default attributes, so it is ok, but for some reason these guys have nothing.  I don't know why.  But if we apply all of the attributes that we need:
sudo chcon system_u:object_r:httpd_sys_script_exec_t /var/www/cgi-bin/*

And that fixed the problem.  Also, if you need to know where SELinux error messages are, they are sometimes in /var/log/messages, sometimes in dmesg output, and sometimes in /var/log/audit/audit.log or possible /var/log/avc.log, depending on how your system is set up.


Provide your email address when commenting and Gravatar will provide general portable avatars, and if you haven't signed up with them, a cute procedural avatar with their implementation of Shamus Young's Wavatars.

Setting up permissions for a CVS server under SELinux
I moved my CVS server over to a new machine that is running SELinux in enforcing mode. I couldn't log into the CVS server. That's strange. After checking the file permissions (it could not read the config file despite being world readable) I realized that this is almost certainly another SELinux problem. It turns out that it is.

Initial permissions:
drwxrwxr-x root cvsadmin system_u:object_r:home_root_t:s0 /home/cvsroot

Here is how I fixed it:

# semanage fcontext -a -t cvs_data_t "/home/cvsroot(/.*)?"
# /sbin/restorecon -R -v /home/cvsroot

New permissions:
drwxrwxr-x root cvsadmin system_u:object_r:cvs_data_t:s0 /home/cvsroot

Then a login and a CO worked! Yay!
Posted 15 years, 5 months ago by fugutabetai • • wwwReply

Comments have now been turned off for this post