FC3, Apache and CGI web app

FC3, Apache and CGI web app

[Scott Cain]

Hello,

I am one of the authors of a web application that is widely used in my
community, GBrowse ( http://www.gmod.org/ggb/ ).  We've started
receiving bug reports from users who are trying to install and run it on
Fedora Core 3 systems with SELinux installed and enabled with the
default values from the distribution.  

To do some testing, I've installed FC3 and GBrowse and run into the same
problems.  The only way I've been able to get GBrowse to run is to
disable SELinux.  There are a few reasons I'd rather not tell my users
to do that, so I am looking for a way to leave SELinux enabled and still
run GBrowse.  The first thing I tried was to set httpd_disable_trans=1
(which the GUI calls "Disable SELinux protection for httpd daemon"), but
that doesn't help.  Are there any parameters that I can add
to /etc/selinux/targeted/booleans to allow GBrowse to work?

As far as I can tell, the reason SELinux doesn't like GBrowse is that it
is a cgi that tries to read a directory and files in the apache conf
directory.

Thanks,
Scott

-- 
------------------------------------------------------------------------
Scott Cain, Ph. D.                                         cain@cshl.org
GMOD Coordinator (http://www.gmod.org/)                     216-392-3087
Cold Spring Harbor Laboratory


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: FC3, Apache and CGI web app

[Daniel J Walsh]

Scott Cain wrote:

>Hello,
>
>I am one of the authors of a web application that is widely used in my
>community, GBrowse ( http://www.gmod.org/ggb/ ).  We've started
>receiving bug reports from users who are trying to install and run it on
>Fedora Core 3 systems with SELinux installed and enabled with the
>default values from the distribution.  
>
>To do some testing, I've installed FC3 and GBrowse and run into the same
>problems.  The only way I've been able to get GBrowse to run is to
>disable SELinux.  There are a few reasons I'd rather not tell my users
>to do that, so I am looking for a way to leave SELinux enabled and still
>run GBrowse.  The first thing I tried was to set httpd_disable_trans=1
>(which the GUI calls "Disable SELinux protection for httpd daemon"), but
>that doesn't help.  Are there any parameters that I can add
>to /etc/selinux/targeted/booleans to allow GBrowse to work?
>
>As far as I can tell, the reason SELinux doesn't like GBrowse is that it
>is a cgi that tries to read a directory and files in the apache conf
>directory.
>
>Thanks,
>Scott
>
>  
>
First make sure you have the latest policy, via yum

yum update selinux-policy-targeted

Next make sure httpd_unified is set

setsebool -P httpd_unified 1

Now try it.

Look for AVC messages in /var/log/messages which will tell you what is 
being denied.
http://fedora.redhat.com/docs/selinux-apache-fc3/
has a lot of information on settingup apache and SElinux.

Dan


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: FC3, Apache and CGI web app

[Colin Walters]

Scott Cain wrote:
> Hello,
> 
> I am one of the authors of a web application that is widely used in my
> community, GBrowse ( http://www.gmod.org/ggb/ ).  We've started
> receiving bug reports from users who are trying to install and run it on
> Fedora Core 3 systems with SELinux installed and enabled with the
> default values from the distribution.  
> 
> To do some testing, I've installed FC3 and GBrowse and run into the same
> problems.  The only way I've been able to get GBrowse to run is to
> disable SELinux.  There are a few reasons I'd rather not tell my users
> to do that, so I am looking for a way to leave SELinux enabled and still
> run GBrowse.  The first thing I tried was to set httpd_disable_trans=1
> (which the GUI calls "Disable SELinux protection for httpd daemon"), but
> that doesn't help.  Are there any parameters that I can add
> to /etc/selinux/targeted/booleans to allow GBrowse to work?

And did you restart Apache with "service httpd restart"?

> As far as I can tell, the reason SELinux doesn't like GBrowse is that it
> is a cgi that tries to read a directory and files in the apache conf
> directory.

Yeah, the policy doesn't allow that by default.  The httpd_sys_script_t 
domain just tries to capture a "typical" class of scripts; but in 
general it's going to either be too strong or too weak for particular 
CGI programs.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: FC3, Apache and CGI web app

[Scott Cain]

On Wed, 2005-02-02 at 18:46 -0500, Daniel J Walsh wrote:
> Scott Cain wrote:
> > [...snip...]
> >
> First make sure you have the latest policy, via yum
> 
> yum update selinux-policy-targeted
> 
Check!

> Next make sure httpd_unified is set
> 
> setsebool -P httpd_unified 1

Check; # sudo cat /etc/selinux/targeted/booleans
allow_ypbind=1
dhcpd_disable_trans=0
httpd_disable_trans=1
httpd_enable_cgi=1
httpd_enable_homedirs=1
httpd_ssi_exec=1
httpd_tty_comm=1
httpd_unified=1
mysqld_disable_trans=0
named_disable_trans=0
named_write_master_zones=0
nscd_disable_trans=0
ntpd_disable_trans=0
portmap_disable_trans=0
postgresql_disable_trans=0
snmpd_disable_trans=0
squid_disable_trans=0
syslogd_disable_trans=0
winbind_disable_trans=0
ypbind_disable_trans=0

> 
> Now try it.

Check (and I restarted httpd, to answer Colin's question)
> 
> Look for AVC messages in /var/log/messages which will tell you what is 
> being denied.
> http://fedora.redhat.com/docs/selinux-apache-fc3/
> has a lot of information on settingup apache and SElinux.

Here we go from /var/log/messages:
Feb  2 23:23:13 localhost kernel: audit(1107404593.566:0): avc:  denied
{ read } for  pid=3792 exe=/usr/bin/perl name=tmp dev=hda2 ino=4243590
scontext=root:system_r:httpd_sys_script_t
tcontext=system_u:object_r:tmp_t tclass=lnk_file

So what can I do to make this work?

Thanks,
Scott

> 
> Dan
> 
> 
-- 
------------------------------------------------------------------------
Scott Cain, Ph. D.                                         cain@cshl.org
GMOD Coordinator (http://www.gmod.org/)                     216-392-3087
Cold Spring Harbor Laboratory


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: FC3, Apache and CGI web app

[Daniel J Walsh]

Scott Cain wrote:

>On Wed, 2005-02-02 at 18:46 -0500, Daniel J Walsh wrote:
>  
>
>>Scott Cain wrote:
>>    
>>
>>>[...snip...]
>>>
>>>      
>>>
>>First make sure you have the latest policy, via yum
>>
>>yum update selinux-policy-targeted
>>
>>    
>>
>Check!
>
>  
>
>>Next make sure httpd_unified is set
>>
>>setsebool -P httpd_unified 1
>>    
>>
>
>Check; # sudo cat /etc/selinux/targeted/booleans
>allow_ypbind=1
>dhcpd_disable_trans=0
>httpd_disable_trans=1
>httpd_enable_cgi=1
>httpd_enable_homedirs=1
>httpd_ssi_exec=1
>httpd_tty_comm=1
>httpd_unified=1
>mysqld_disable_trans=0
>named_disable_trans=0
>named_write_master_zones=0
>nscd_disable_trans=0
>ntpd_disable_trans=0
>portmap_disable_trans=0
>postgresql_disable_trans=0
>snmpd_disable_trans=0
>squid_disable_trans=0
>syslogd_disable_trans=0
>winbind_disable_trans=0
>ypbind_disable_trans=0
>
>  
>
>>Now try it.
>>    
>>
>
>Check (and I restarted httpd, to answer Colin's question)
>  
>
>>Look for AVC messages in /var/log/messages which will tell you what is 
>>being denied.
>>http://fedora.redhat.com/docs/selinux-apache-fc3/
>>has a lot of information on settingup apache and SElinux.
>>    
>>
>
>Here we go from /var/log/messages:
>Feb  2 23:23:13 localhost kernel: audit(1107404593.566:0): avc:  denied
>{ read } for  pid=3792 exe=/usr/bin/perl name=tmp dev=hda2 ino=4243590
>scontext=root:system_r:httpd_sys_script_t
>tcontext=system_u:object_r:tmp_t tclass=lnk_file
>
>  
>
You would have to write policy at this point.  Allowing scripts to read 
sym links off of /tmp would
be considered dangerous. 

But this would a bug, since you have httpd_disable_trans set to 1, you 
should not be running as httpd_sys_script_t.

selinux-policy-targeted-1.17.30-2.76 Will prevent this transition.

I have put out a version on
ftp://people.redhat.com/dwalsh/SELinux/FC3 

This will go into Fedora-testing tonight.  Please try it out and see if 
it fixes the transition problem.  IE your scripts should be running under
unconfined_t.


Dan


>So what can I do to make this work?
>
>Thanks,
>Scott
>
>  
>
>>Dan
>>
>>
>>    
>>


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: FC3, Apache and CGI web app

[Scott Cain]

Dan,

That fixed it for the case for where disabled is set.  About reading
from /tmp, I am reasonably sure that nowhere in the cgi do we do that.
What we do that is similar however is read from a
directory, /var/www/html/gbrowse/tmp, which is created by root during
the installation and made world read and writable.  I'm guessing that is
also considered dangerous.  If I change the installer to chown to apache
and then make it writeable only by apache, would that make the problem
go away?

Thanks,
Scott


On Thu, 2005-02-03 at 09:51 -0500, Daniel J Walsh wrote:
> Scott Cain wrote:
> 
> >On Wed, 2005-02-02 at 18:46 -0500, Daniel J Walsh wrote:
> >  
> >
> >>Scott Cain wrote:
> >>    
> >>
> >>>[...snip...]
> >>>
> >>>      
> >>>
> >>First make sure you have the latest policy, via yum
> >>
> >>yum update selinux-policy-targeted
> >>
> >>    
> >>
> >Check!
> >
> >  
> >
> >>Next make sure httpd_unified is set
> >>
> >>setsebool -P httpd_unified 1
> >>    
> >>
> >
> >Check; # sudo cat /etc/selinux/targeted/booleans
> >allow_ypbind=1
> >dhcpd_disable_trans=0
> >httpd_disable_trans=1
> >httpd_enable_cgi=1
> >httpd_enable_homedirs=1
> >httpd_ssi_exec=1
> >httpd_tty_comm=1
> >httpd_unified=1
> >mysqld_disable_trans=0
> >named_disable_trans=0
> >named_write_master_zones=0
> >nscd_disable_trans=0
> >ntpd_disable_trans=0
> >portmap_disable_trans=0
> >postgresql_disable_trans=0
> >snmpd_disable_trans=0
> >squid_disable_trans=0
> >syslogd_disable_trans=0
> >winbind_disable_trans=0
> >ypbind_disable_trans=0
> >
> >  
> >
> >>Now try it.
> >>    
> >>
> >
> >Check (and I restarted httpd, to answer Colin's question)
> >  
> >
> >>Look for AVC messages in /var/log/messages which will tell you what is 
> >>being denied.
> >>http://fedora.redhat.com/docs/selinux-apache-fc3/
> >>has a lot of information on settingup apache and SElinux.
> >>    
> >>
> >
> >Here we go from /var/log/messages:
> >Feb  2 23:23:13 localhost kernel: audit(1107404593.566:0): avc:  denied
> >{ read } for  pid=3792 exe=/usr/bin/perl name=tmp dev=hda2 ino=4243590
> >scontext=root:system_r:httpd_sys_script_t
> >tcontext=system_u:object_r:tmp_t tclass=lnk_file
> >
> >  
> >
> You would have to write policy at this point.  Allowing scripts to read 
> sym links off of /tmp would
> be considered dangerous. 
> 
> But this would a bug, since you have httpd_disable_trans set to 1, you 
> should not be running as httpd_sys_script_t.
> 
> selinux-policy-targeted-1.17.30-2.76 Will prevent this transition.
> 
> I have put out a version on
> ftp://people.redhat.com/dwalsh/SELinux/FC3 
> 
> This will go into Fedora-testing tonight.  Please try it out and see if 
> it fixes the transition problem.  IE your scripts should be running under
> unconfined_t.
> 
> 
> Dan
> 
> 
> >So what can I do to make this work?
> >
> >Thanks,
> >Scott
> >
> >  
> >
> >>Dan
> >>
> >>
> >>    
> >>
> 
> 
-- 
------------------------------------------------------------------------
Scott Cain, Ph. D.                                         cain@cshl.org
GMOD Coordinator (http://www.gmod.org/)                     216-392-3087
Cold Spring Harbor Laboratory


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: FC3, Apache and CGI web app

[Daniel J Walsh]

Scott Cain wrote:

>Dan,
>
>That fixed it for the case for where disabled is set.  About reading
>from /tmp, I am reasonably sure that nowhere in the cgi do we do that.
>What we do that is similar however is read from a
>directory, /var/www/html/gbrowse/tmp, which is created by root during
>the installation and made world read and writable.  I'm guessing that is
>also considered dangerous.  If I change the installer to chown to apache
>and then make it writeable only by apache, would that make the problem
>go away?
>
>  
>
No but you could just change the context of tmp to httpd_sys_content_t

chcon -R httpd_sys_content_t /var/www/html/gbrowse/tmp

Which should fix it. 

>Thanks,
>Scott
>
>
>On Thu, 2005-02-03 at 09:51 -0500, Daniel J Walsh wrote:
>  
>
>>Scott Cain wrote:
>>
>>    
>>
>>>On Wed, 2005-02-02 at 18:46 -0500, Daniel J Walsh wrote:
>>> 
>>>
>>>      
>>>
>>>>Scott Cain wrote:
>>>>   
>>>>
>>>>        
>>>>
>>>>>[...snip...]
>>>>>
>>>>>     
>>>>>
>>>>>          
>>>>>
>>>>First make sure you have the latest policy, via yum
>>>>
>>>>yum update selinux-policy-targeted
>>>>
>>>>   
>>>>
>>>>        
>>>>
>>>Check!
>>>
>>> 
>>>
>>>      
>>>
>>>>Next make sure httpd_unified is set
>>>>
>>>>setsebool -P httpd_unified 1
>>>>   
>>>>
>>>>        
>>>>
>>>Check; # sudo cat /etc/selinux/targeted/booleans
>>>allow_ypbind=1
>>>dhcpd_disable_trans=0
>>>httpd_disable_trans=1
>>>httpd_enable_cgi=1
>>>httpd_enable_homedirs=1
>>>httpd_ssi_exec=1
>>>httpd_tty_comm=1
>>>httpd_unified=1
>>>mysqld_disable_trans=0
>>>named_disable_trans=0
>>>named_write_master_zones=0
>>>nscd_disable_trans=0
>>>ntpd_disable_trans=0
>>>portmap_disable_trans=0
>>>postgresql_disable_trans=0
>>>snmpd_disable_trans=0
>>>squid_disable_trans=0
>>>syslogd_disable_trans=0
>>>winbind_disable_trans=0
>>>ypbind_disable_trans=0
>>>
>>> 
>>>
>>>      
>>>
>>>>Now try it.
>>>>   
>>>>
>>>>        
>>>>
>>>Check (and I restarted httpd, to answer Colin's question)
>>> 
>>>
>>>      
>>>
>>>>Look for AVC messages in /var/log/messages which will tell you what is 
>>>>being denied.
>>>>http://fedora.redhat.com/docs/selinux-apache-fc3/
>>>>has a lot of information on settingup apache and SElinux.
>>>>   
>>>>
>>>>        
>>>>
>>>Here we go from /var/log/messages:
>>>Feb  2 23:23:13 localhost kernel: audit(1107404593.566:0): avc:  denied
>>>{ read } for  pid=3792 exe=/usr/bin/perl name=tmp dev=hda2 ino=4243590
>>>scontext=root:system_r:httpd_sys_script_t
>>>tcontext=system_u:object_r:tmp_t tclass=lnk_file
>>>
>>> 
>>>
>>>      
>>>
>>You would have to write policy at this point.  Allowing scripts to read 
>>sym links off of /tmp would
>>be considered dangerous. 
>>
>>But this would a bug, since you have httpd_disable_trans set to 1, you 
>>should not be running as httpd_sys_script_t.
>>
>>selinux-policy-targeted-1.17.30-2.76 Will prevent this transition.
>>
>>I have put out a version on
>>ftp://people.redhat.com/dwalsh/SELinux/FC3 
>>
>>This will go into Fedora-testing tonight.  Please try it out and see if 
>>it fixes the transition problem.  IE your scripts should be running under
>>unconfined_t.
>>
>>
>>Dan
>>
>>
>>    
>>
>>>So what can I do to make this work?
>>>
>>>Thanks,
>>>Scott
>>>
>>> 
>>>
>>>      
>>>
>>>>Dan
>>>>
>>>>
>>>>   
>>>>
>>>>        
>>>>
>>    
>>


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: FC3, Apache and CGI web app

[Scott Cain]

On Thu, 2005-02-03 at 10:35 -0500, Daniel J Walsh wrote:
> No but you could just change the context of tmp to httpd_sys_content_t
> 
> chcon -R httpd_sys_content_t /var/www/html/gbrowse/tmp
> 
> Which should fix it. 
> 


[scott@localhost gbrowse]$ sudo chcon -R httpd_sys_content_t /var/www/html/gbrowse/tmp
/usr/bin/chcon: invalid context: httpd_sys_content_t

Is there a typo in there somewhere?  Also, is this documented somewhere?
`man` and `info` are particularly terse and not very helpful.

Thanks,
Scott


-- 
------------------------------------------------------------------------
Scott Cain, Ph. D.                                         cain@cshl.org
GMOD Coordinator (http://www.gmod.org/)                     216-392-3087
Cold Spring Harbor Laboratory


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: FC3, Apache and CGI web app

[Stephen Smalley]

On Thu, 2005-02-03 at 10:48, Scott Cain wrote:
> [scott@localhost gbrowse]$ sudo chcon -R httpd_sys_content_t /var/www/html/gbrowse/tmp
> /usr/bin/chcon: invalid context: httpd_sys_content_t
> 
> Is there a typo in there somewhere?  Also, is this documented somewhere?
> `man` and `info` are particularly terse and not very helpful.

You need to specify -t if you are only specifying the type (vs. the
entire security context), e.g.
	chcon -R -t httpd_sys_context_t ...

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: FC3, Apache and CGI web app

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 690 bytes --]

Scott Cain wrote:

>On Thu, 2005-02-03 at 10:35 -0500, Daniel J Walsh wrote:
>  
>
>>No but you could just change the context of tmp to httpd_sys_content_t
>>
>>chcon -R httpd_sys_content_t /var/www/html/gbrowse/tmp
>>
>>Which should fix it. 
>>
>>    
>>
>
>
>[scott@localhost gbrowse]$ sudo chcon -R httpd_sys_content_t /var/www/html/gbrowse/tmp
>/usr/bin/chcon: invalid context: httpd_sys_content_t
>
>Is there a typo in there somewhere?  Also, is this documented somewhere?
>`man` and `info` are particularly terse and not very helpful.
>
>Thanks,
>Scott
>
>
>  
>
Oops
chcon -R -t httpd_sys_content_t /var/www/html/gbrowse/tmp

There should be a man page, there is one on my machine



[-- Attachment #2: chcon --]
[-- Type: text/plain, Size: 1549 bytes --]

CHCON(1)			User Commands			     CHCON(1)



NAME
       chcon - change security context

SYNOPSIS
       chcon [OPTION]... CONTEXT FILE...
       chcon [OPTION]... --reference=RFILE FILE...

DESCRIPTION
       Change the security context of each FILE to CONTEXT.

       -c, --changes
	      like verbose but report only when a change is made

       -h, --no-dereference
	      affect symbolic links instead of any referenced file (available
	      only on systems with lchown system call)

       -f, --silent, --quiet
	      suppress most error messages

       -l, --range
	      set range RANGE in the target security context

       --reference=RFILE
	      use RFILE’s context instead of using a CONTEXT value

       -R, --recursive
	      change files and directories recursively

       -r, --role
	      set role ROLE in the target security context

       -t, --type
	      set type TYPE in the target security context

       -u, --user
	      set user USER in the target security context

       -v, --verbose
	      output a diagnostic for every file processed

       --help display this help and exit

       --version
	      output version information and exit

REPORTING BUGS
       Report bugs to <email@host.com>.

SEE ALSO
       The full documentation for chcon is maintained as  a  Texinfo  manual.
       If  the	info  and chcon programs are properly installed at your site,
       the command

	      info chcon

       should give you access to the complete manual.



chcon (coreutils) 5.0		  July 2003			     CHCON(1)

Re: FC3, Apache and CGI web app

[Scott Cain]

OK, now I get this:

[scott@localhost gbrowse]$ sudo chcon -R -t httpd_sys_content_t /var/www/html/gbrowse/tmp
/usr/bin/chcon: can't apply partial context to unlabeled file /var/www/html/gbrowse/tmp/yeast_chr1

About my comment about the man page: I was just saying that it doesn't
say much about what options are available (like how would I know I need
to use 'httpd_sys_content_t'?)  I'm guessing this is further documented
somewhere else.

Thanks,
Scott

On Thu, 2005-02-03 at 10:59 -0500, Daniel J Walsh wrote:
> Scott Cain wrote:
> 
> >On Thu, 2005-02-03 at 10:35 -0500, Daniel J Walsh wrote:
> >  
> >
> >>No but you could just change the context of tmp to httpd_sys_content_t
> >>
> >>chcon -R httpd_sys_content_t /var/www/html/gbrowse/tmp
> >>
> >>Which should fix it. 
> >>
> >>    
> >>
> >
> >
> >[scott@localhost gbrowse]$ sudo chcon -R httpd_sys_content_t /var/www/html/gbrowse/tmp
> >/usr/bin/chcon: invalid context: httpd_sys_content_t
> >
> >Is there a typo in there somewhere?  Also, is this documented somewhere?
> >`man` and `info` are particularly terse and not very helpful.
> >
> >Thanks,
> >Scott
> >
> >
> >  
> >
> Oops
> chcon -R -t httpd_sys_content_t /var/www/html/gbrowse/tmp
> 
> There should be a man page, there is one on my machine
> 
> 
> plain text document attachment (chcon)
> CHCON(1)			User Commands			     CHCON(1)
> 
> 
> 
> NAME
>        chcon - change security context
> 
> SYNOPSIS
>        chcon [OPTION]... CONTEXT FILE...
>        chcon [OPTION]... --reference=RFILE FILE...
> 
> DESCRIPTION
>        Change the security context of each FILE to CONTEXT.
> 
>        -c, --changes
> 	      like verbose but report only when a change is made
> 
>        -h, --no-dereference
> 	      affect symbolic links instead of any referenced file (available
> 	      only on systems with lchown system call)
> 
>        -f, --silent, --quiet
> 	      suppress most error messages
> 
>        -l, --range
> 	      set range RANGE in the target security context
> 
>        --reference=RFILE
> 	      use RFILE’s context instead of using a CONTEXT value
> 
>        -R, --recursive
> 	      change files and directories recursively
> 
>        -r, --role
> 	      set role ROLE in the target security context
> 
>        -t, --type
> 	      set type TYPE in the target security context
> 
>        -u, --user
> 	      set user USER in the target security context
> 
>        -v, --verbose
> 	      output a diagnostic for every file processed
> 
>        --help display this help and exit
> 
>        --version
> 	      output version information and exit
> 
> REPORTING BUGS
>        Report bugs to <email@host.com>.
> 
> SEE ALSO
>        The full documentation for chcon is maintained as  a  Texinfo  manual.
>        If  the	info  and chcon programs are properly installed at your site,
>        the command
> 
> 	      info chcon
> 
>        should give you access to the complete manual.
> 
> 
> 
> chcon (coreutils) 5.0		  July 2003			     CHCON(1)
-- 
------------------------------------------------------------------------
Scott Cain, Ph. D.                                         cain@cshl.org
GMOD Coordinator (http://www.gmod.org/)                     216-392-3087
Cold Spring Harbor Laboratory


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: FC3, Apache and CGI web app

[Daniel J Walsh]

Scott Cain wrote:

>OK, now I get this:
>
>[scott@localhost gbrowse]$ sudo chcon -R -t httpd_sys_content_t /var/www/html/gbrowse/tmp
>/usr/bin/chcon: can't apply partial context to unlabeled file /var/www/html/gbrowse/tmp/yeast_chr1
>
>  
>
Has this machine been labeled or booted with selinux=0?  You need to 
relabel the system.

touch /.autorelabel
reboot


>About my comment about the man page: I was just saying that it doesn't
>say much about what options are available (like how would I know I need
>to use 'httpd_sys_content_t'?)  I'm guessing this is further documented
>somewhere else.
>
>Thanks,
>Scott
>
>On Thu, 2005-02-03 at 10:59 -0500, Daniel J Walsh wrote:
>  
>
>>Scott Cain wrote:
>>
>>    
>>
>>>On Thu, 2005-02-03 at 10:35 -0500, Daniel J Walsh wrote:
>>> 
>>>
>>>      
>>>
>>>>No but you could just change the context of tmp to httpd_sys_content_t
>>>>
>>>>chcon -R httpd_sys_content_t /var/www/html/gbrowse/tmp
>>>>
>>>>Which should fix it. 
>>>>
>>>>   
>>>>
>>>>        
>>>>
>>>[scott@localhost gbrowse]$ sudo chcon -R httpd_sys_content_t /var/www/html/gbrowse/tmp
>>>/usr/bin/chcon: invalid context: httpd_sys_content_t
>>>
>>>Is there a typo in there somewhere?  Also, is this documented somewhere?
>>>`man` and `info` are particularly terse and not very helpful.
>>>
>>>Thanks,
>>>Scott
>>>
>>>
>>> 
>>>
>>>      
>>>
>>Oops
>>chcon -R -t httpd_sys_content_t /var/www/html/gbrowse/tmp
>>
>>There should be a man page, there is one on my machine
>>
>>
>>plain text document attachment (chcon)
>>CHCON(1)			User Commands			     CHCON(1)
>>
>>
>>
>>NAME
>>       chcon - change security context
>>
>>SYNOPSIS
>>       chcon [OPTION]... CONTEXT FILE...
>>       chcon [OPTION]... --reference=RFILE FILE...
>>
>>DESCRIPTION
>>       Change the security context of each FILE to CONTEXT.
>>
>>       -c, --changes
>>	      like verbose but report only when a change is made
>>
>>       -h, --no-dereference
>>	      affect symbolic links instead of any referenced file (available
>>	      only on systems with lchown system call)
>>
>>       -f, --silent, --quiet
>>	      suppress most error messages
>>
>>       -l, --range
>>	      set range RANGE in the target security context
>>
>>       --reference=RFILE
>>	      use RFILE’s context instead of using a CONTEXT value
>>
>>       -R, --recursive
>>	      change files and directories recursively
>>
>>       -r, --role
>>	      set role ROLE in the target security context
>>
>>       -t, --type
>>	      set type TYPE in the target security context
>>
>>       -u, --user
>>	      set user USER in the target security context
>>
>>       -v, --verbose
>>	      output a diagnostic for every file processed
>>
>>       --help display this help and exit
>>
>>       --version
>>	      output version information and exit
>>
>>REPORTING BUGS
>>       Report bugs to <email@host.com>.
>>
>>SEE ALSO
>>       The full documentation for chcon is maintained as  a  Texinfo  manual.
>>       If  the	info  and chcon programs are properly installed at your site,
>>       the command
>>
>>	      info chcon
>>
>>       should give you access to the complete manual.
>>
>>
>>
>>chcon (coreutils) 5.0		  July 2003			     CHCON(1)
>>    
>>


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: FC3, Apache and CGI web app

[Scott Cain]

Dan,

I did the relabel/reboot and was able to change the context, now my next
question: was changing the context of the GBrowse tmp directory supposed
to allow it to run with SELinux enabled for httpd? ie:

httpd_disable_trans=0
httpd_enable_cgi=1
httpd_enable_homedirs=1
httpd_ssi_exec=1
httpd_tty_comm=1
httpd_unified=1

Because it doesn't; I'm back to 500 errors.  Is what you meant instead
that I have to change the context and make it writable only by the owner
(ie, apache)?

Thanks for your patience,
Scott

On Thu, 2005-02-03 at 11:11 -0500, Daniel J Walsh wrote:
> Scott Cain wrote:
> 
> >OK, now I get this:
> >
> >[scott@localhost gbrowse]$ sudo chcon -R -t httpd_sys_content_t /var/www/html/gbrowse/tmp
> >/usr/bin/chcon: can't apply partial context to unlabeled file /var/www/html/gbrowse/tmp/yeast_chr1
> >
> >  
> >
> Has this machine been labeled or booted with selinux=0?  You need to 
> relabel the system.
> 
> touch /.autorelabel
> reboot
> 
> 
> >About my comment about the man page: I was just saying that it doesn't
> >say much about what options are available (like how would I know I need
> >to use 'httpd_sys_content_t'?)  I'm guessing this is further documented
> >somewhere else.
> >
> >Thanks,
> >Scott
> >
> >On Thu, 2005-02-03 at 10:59 -0500, Daniel J Walsh wrote:
> >  
> >
> >>Scott Cain wrote:
> >>
> >>    
> >>
> >>>On Thu, 2005-02-03 at 10:35 -0500, Daniel J Walsh wrote:
> >>> 
> >>>
> >>>      
> >>>
> >>>>No but you could just change the context of tmp to httpd_sys_content_t
> >>>>
> >>>>chcon -R httpd_sys_content_t /var/www/html/gbrowse/tmp
> >>>>
> >>>>Which should fix it. 
> >>>>
> >>>>   
> >>>>
> >>>>        
> >>>>
> >>>[scott@localhost gbrowse]$ sudo chcon -R httpd_sys_content_t /var/www/html/gbrowse/tmp
> >>>/usr/bin/chcon: invalid context: httpd_sys_content_t
> >>>
> >>>Is there a typo in there somewhere?  Also, is this documented somewhere?
> >>>`man` and `info` are particularly terse and not very helpful.
> >>>
> >>>Thanks,
> >>>Scott
> >>>
> >>>
> >>> 
> >>>
> >>>      
> >>>
> >>Oops
> >>chcon -R -t httpd_sys_content_t /var/www/html/gbrowse/tmp
> >>
> >>There should be a man page, there is one on my machine
> >>
> >>
> >>plain text document attachment (chcon)
> >>CHCON(1)			User Commands			     CHCON(1)
> >>
> >>
> >>
> >>NAME
> >>       chcon - change security context
> >>
> >>SYNOPSIS
> >>       chcon [OPTION]... CONTEXT FILE...
> >>       chcon [OPTION]... --reference=RFILE FILE...
> >>
> >>DESCRIPTION
> >>       Change the security context of each FILE to CONTEXT.
> >>
> >>       -c, --changes
> >>	      like verbose but report only when a change is made
> >>
> >>       -h, --no-dereference
> >>	      affect symbolic links instead of any referenced file (available
> >>	      only on systems with lchown system call)
> >>
> >>       -f, --silent, --quiet
> >>	      suppress most error messages
> >>
> >>       -l, --range
> >>	      set range RANGE in the target security context
> >>
> >>       --reference=RFILE
> >>	      use RFILE’s context instead of using a CONTEXT value
> >>
> >>       -R, --recursive
> >>	      change files and directories recursively
> >>
> >>       -r, --role
> >>	      set role ROLE in the target security context
> >>
> >>       -t, --type
> >>	      set type TYPE in the target security context
> >>
> >>       -u, --user
> >>	      set user USER in the target security context
> >>
> >>       -v, --verbose
> >>	      output a diagnostic for every file processed
> >>
> >>       --help display this help and exit
> >>
> >>       --version
> >>	      output version information and exit
> >>
> >>REPORTING BUGS
> >>       Report bugs to <email@host.com>.
> >>
> >>SEE ALSO
> >>       The full documentation for chcon is maintained as  a  Texinfo  manual.
> >>       If  the	info  and chcon programs are properly installed at your site,
> >>       the command
> >>
> >>	      info chcon
> >>
> >>       should give you access to the complete manual.
> >>
> >>
> >>
> >>chcon (coreutils) 5.0		  July 2003			     CHCON(1)
> >>    
> >>
> 
> 
-- 
------------------------------------------------------------------------
Scott Cain, Ph. D.                                         cain@cshl.org
GMOD Coordinator (http://www.gmod.org/)                     216-392-3087
Cold Spring Harbor Laboratory


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.