* FC3, Apache and CGI web app @ 2005-02-02 21:07 Scott Cain 2005-02-02 23:46 ` Daniel J Walsh 2005-02-03 3:01 ` Colin Walters 0 siblings, 2 replies; 13+ messages in thread From: Scott Cain @ 2005-02-02 21:07 UTC (permalink / raw) To: selinux Hello, I am one of the authors of a web application that is widely used in my community, GBrowse ( http://www.gmod.org/ggb/ ). We've started receiving bug reports from users who are trying to install and run it on Fedora Core 3 systems with SELinux installed and enabled with the default values from the distribution. To do some testing, I've installed FC3 and GBrowse and run into the same problems. The only way I've been able to get GBrowse to run is to disable SELinux. There are a few reasons I'd rather not tell my users to do that, so I am looking for a way to leave SELinux enabled and still run GBrowse. The first thing I tried was to set httpd_disable_trans=1 (which the GUI calls "Disable SELinux protection for httpd daemon"), but that doesn't help. Are there any parameters that I can add to /etc/selinux/targeted/booleans to allow GBrowse to work? As far as I can tell, the reason SELinux doesn't like GBrowse is that it is a cgi that tries to read a directory and files in the apache conf directory. Thanks, Scott -- ------------------------------------------------------------------------ Scott Cain, Ph. D. cain@cshl.org GMOD Coordinator (http://www.gmod.org/) 216-392-3087 Cold Spring Harbor Laboratory -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: FC3, Apache and CGI web app 2005-02-02 21:07 FC3, Apache and CGI web app Scott Cain @ 2005-02-02 23:46 ` Daniel J Walsh 2005-02-03 4:30 ` Scott Cain 2005-02-03 3:01 ` Colin Walters 1 sibling, 1 reply; 13+ messages in thread From: Daniel J Walsh @ 2005-02-02 23:46 UTC (permalink / raw) To: Scott Cain; +Cc: selinux Scott Cain wrote: >Hello, > >I am one of the authors of a web application that is widely used in my >community, GBrowse ( http://www.gmod.org/ggb/ ). We've started >receiving bug reports from users who are trying to install and run it on >Fedora Core 3 systems with SELinux installed and enabled with the >default values from the distribution. > >To do some testing, I've installed FC3 and GBrowse and run into the same >problems. The only way I've been able to get GBrowse to run is to >disable SELinux. There are a few reasons I'd rather not tell my users >to do that, so I am looking for a way to leave SELinux enabled and still >run GBrowse. The first thing I tried was to set httpd_disable_trans=1 >(which the GUI calls "Disable SELinux protection for httpd daemon"), but >that doesn't help. Are there any parameters that I can add >to /etc/selinux/targeted/booleans to allow GBrowse to work? > >As far as I can tell, the reason SELinux doesn't like GBrowse is that it >is a cgi that tries to read a directory and files in the apache conf >directory. > >Thanks, >Scott > > > First make sure you have the latest policy, via yum yum update selinux-policy-targeted Next make sure httpd_unified is set setsebool -P httpd_unified 1 Now try it. Look for AVC messages in /var/log/messages which will tell you what is being denied. http://fedora.redhat.com/docs/selinux-apache-fc3/ has a lot of information on settingup apache and SElinux. Dan -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: FC3, Apache and CGI web app 2005-02-02 23:46 ` Daniel J Walsh @ 2005-02-03 4:30 ` Scott Cain 2005-02-03 14:51 ` Daniel J Walsh 0 siblings, 1 reply; 13+ messages in thread From: Scott Cain @ 2005-02-03 4:30 UTC (permalink / raw) To: Daniel J Walsh; +Cc: selinux On Wed, 2005-02-02 at 18:46 -0500, Daniel J Walsh wrote: > Scott Cain wrote: > > [...snip...] > > > First make sure you have the latest policy, via yum > > yum update selinux-policy-targeted > Check! > Next make sure httpd_unified is set > > setsebool -P httpd_unified 1 Check; # sudo cat /etc/selinux/targeted/booleans allow_ypbind=1 dhcpd_disable_trans=0 httpd_disable_trans=1 httpd_enable_cgi=1 httpd_enable_homedirs=1 httpd_ssi_exec=1 httpd_tty_comm=1 httpd_unified=1 mysqld_disable_trans=0 named_disable_trans=0 named_write_master_zones=0 nscd_disable_trans=0 ntpd_disable_trans=0 portmap_disable_trans=0 postgresql_disable_trans=0 snmpd_disable_trans=0 squid_disable_trans=0 syslogd_disable_trans=0 winbind_disable_trans=0 ypbind_disable_trans=0 > > Now try it. Check (and I restarted httpd, to answer Colin's question) > > Look for AVC messages in /var/log/messages which will tell you what is > being denied. > http://fedora.redhat.com/docs/selinux-apache-fc3/ > has a lot of information on settingup apache and SElinux. Here we go from /var/log/messages: Feb 2 23:23:13 localhost kernel: audit(1107404593.566:0): avc: denied { read } for pid=3792 exe=/usr/bin/perl name=tmp dev=hda2 ino=4243590 scontext=root:system_r:httpd_sys_script_t tcontext=system_u:object_r:tmp_t tclass=lnk_file So what can I do to make this work? Thanks, Scott > > Dan > > -- ------------------------------------------------------------------------ Scott Cain, Ph. D. cain@cshl.org GMOD Coordinator (http://www.gmod.org/) 216-392-3087 Cold Spring Harbor Laboratory -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: FC3, Apache and CGI web app 2005-02-03 4:30 ` Scott Cain @ 2005-02-03 14:51 ` Daniel J Walsh 2005-02-03 15:25 ` Scott Cain 0 siblings, 1 reply; 13+ messages in thread From: Daniel J Walsh @ 2005-02-03 14:51 UTC (permalink / raw) To: Scott Cain; +Cc: selinux Scott Cain wrote: >On Wed, 2005-02-02 at 18:46 -0500, Daniel J Walsh wrote: > > >>Scott Cain wrote: >> >> >>>[...snip...] >>> >>> >>> >>First make sure you have the latest policy, via yum >> >>yum update selinux-policy-targeted >> >> >> >Check! > > > >>Next make sure httpd_unified is set >> >>setsebool -P httpd_unified 1 >> >> > >Check; # sudo cat /etc/selinux/targeted/booleans >allow_ypbind=1 >dhcpd_disable_trans=0 >httpd_disable_trans=1 >httpd_enable_cgi=1 >httpd_enable_homedirs=1 >httpd_ssi_exec=1 >httpd_tty_comm=1 >httpd_unified=1 >mysqld_disable_trans=0 >named_disable_trans=0 >named_write_master_zones=0 >nscd_disable_trans=0 >ntpd_disable_trans=0 >portmap_disable_trans=0 >postgresql_disable_trans=0 >snmpd_disable_trans=0 >squid_disable_trans=0 >syslogd_disable_trans=0 >winbind_disable_trans=0 >ypbind_disable_trans=0 > > > >>Now try it. >> >> > >Check (and I restarted httpd, to answer Colin's question) > > >>Look for AVC messages in /var/log/messages which will tell you what is >>being denied. >>http://fedora.redhat.com/docs/selinux-apache-fc3/ >>has a lot of information on settingup apache and SElinux. >> >> > >Here we go from /var/log/messages: >Feb 2 23:23:13 localhost kernel: audit(1107404593.566:0): avc: denied >{ read } for pid=3792 exe=/usr/bin/perl name=tmp dev=hda2 ino=4243590 >scontext=root:system_r:httpd_sys_script_t >tcontext=system_u:object_r:tmp_t tclass=lnk_file > > > You would have to write policy at this point. Allowing scripts to read sym links off of /tmp would be considered dangerous. But this would a bug, since you have httpd_disable_trans set to 1, you should not be running as httpd_sys_script_t. selinux-policy-targeted-1.17.30-2.76 Will prevent this transition. I have put out a version on ftp://people.redhat.com/dwalsh/SELinux/FC3 This will go into Fedora-testing tonight. Please try it out and see if it fixes the transition problem. IE your scripts should be running under unconfined_t. Dan >So what can I do to make this work? > >Thanks, >Scott > > > >>Dan >> >> >> >> -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: FC3, Apache and CGI web app 2005-02-03 14:51 ` Daniel J Walsh @ 2005-02-03 15:25 ` Scott Cain 2005-02-03 15:35 ` Daniel J Walsh 0 siblings, 1 reply; 13+ messages in thread From: Scott Cain @ 2005-02-03 15:25 UTC (permalink / raw) To: Daniel J Walsh; +Cc: selinux Dan, That fixed it for the case for where disabled is set. About reading from /tmp, I am reasonably sure that nowhere in the cgi do we do that. What we do that is similar however is read from a directory, /var/www/html/gbrowse/tmp, which is created by root during the installation and made world read and writable. I'm guessing that is also considered dangerous. If I change the installer to chown to apache and then make it writeable only by apache, would that make the problem go away? Thanks, Scott On Thu, 2005-02-03 at 09:51 -0500, Daniel J Walsh wrote: > Scott Cain wrote: > > >On Wed, 2005-02-02 at 18:46 -0500, Daniel J Walsh wrote: > > > > > >>Scott Cain wrote: > >> > >> > >>>[...snip...] > >>> > >>> > >>> > >>First make sure you have the latest policy, via yum > >> > >>yum update selinux-policy-targeted > >> > >> > >> > >Check! > > > > > > > >>Next make sure httpd_unified is set > >> > >>setsebool -P httpd_unified 1 > >> > >> > > > >Check; # sudo cat /etc/selinux/targeted/booleans > >allow_ypbind=1 > >dhcpd_disable_trans=0 > >httpd_disable_trans=1 > >httpd_enable_cgi=1 > >httpd_enable_homedirs=1 > >httpd_ssi_exec=1 > >httpd_tty_comm=1 > >httpd_unified=1 > >mysqld_disable_trans=0 > >named_disable_trans=0 > >named_write_master_zones=0 > >nscd_disable_trans=0 > >ntpd_disable_trans=0 > >portmap_disable_trans=0 > >postgresql_disable_trans=0 > >snmpd_disable_trans=0 > >squid_disable_trans=0 > >syslogd_disable_trans=0 > >winbind_disable_trans=0 > >ypbind_disable_trans=0 > > > > > > > >>Now try it. > >> > >> > > > >Check (and I restarted httpd, to answer Colin's question) > > > > > >>Look for AVC messages in /var/log/messages which will tell you what is > >>being denied. > >>http://fedora.redhat.com/docs/selinux-apache-fc3/ > >>has a lot of information on settingup apache and SElinux. > >> > >> > > > >Here we go from /var/log/messages: > >Feb 2 23:23:13 localhost kernel: audit(1107404593.566:0): avc: denied > >{ read } for pid=3792 exe=/usr/bin/perl name=tmp dev=hda2 ino=4243590 > >scontext=root:system_r:httpd_sys_script_t > >tcontext=system_u:object_r:tmp_t tclass=lnk_file > > > > > > > You would have to write policy at this point. Allowing scripts to read > sym links off of /tmp would > be considered dangerous. > > But this would a bug, since you have httpd_disable_trans set to 1, you > should not be running as httpd_sys_script_t. > > selinux-policy-targeted-1.17.30-2.76 Will prevent this transition. > > I have put out a version on > ftp://people.redhat.com/dwalsh/SELinux/FC3 > > This will go into Fedora-testing tonight. Please try it out and see if > it fixes the transition problem. IE your scripts should be running under > unconfined_t. > > > Dan > > > >So what can I do to make this work? > > > >Thanks, > >Scott > > > > > > > >>Dan > >> > >> > >> > >> > > -- ------------------------------------------------------------------------ Scott Cain, Ph. D. cain@cshl.org GMOD Coordinator (http://www.gmod.org/) 216-392-3087 Cold Spring Harbor Laboratory -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: FC3, Apache and CGI web app 2005-02-03 15:25 ` Scott Cain @ 2005-02-03 15:35 ` Daniel J Walsh 2005-02-03 15:48 ` Scott Cain 0 siblings, 1 reply; 13+ messages in thread From: Daniel J Walsh @ 2005-02-03 15:35 UTC (permalink / raw) To: Scott Cain; +Cc: selinux Scott Cain wrote: >Dan, > >That fixed it for the case for where disabled is set. About reading >from /tmp, I am reasonably sure that nowhere in the cgi do we do that. >What we do that is similar however is read from a >directory, /var/www/html/gbrowse/tmp, which is created by root during >the installation and made world read and writable. I'm guessing that is >also considered dangerous. If I change the installer to chown to apache >and then make it writeable only by apache, would that make the problem >go away? > > > No but you could just change the context of tmp to httpd_sys_content_t chcon -R httpd_sys_content_t /var/www/html/gbrowse/tmp Which should fix it. >Thanks, >Scott > > >On Thu, 2005-02-03 at 09:51 -0500, Daniel J Walsh wrote: > > >>Scott Cain wrote: >> >> >> >>>On Wed, 2005-02-02 at 18:46 -0500, Daniel J Walsh wrote: >>> >>> >>> >>> >>>>Scott Cain wrote: >>>> >>>> >>>> >>>> >>>>>[...snip...] >>>>> >>>>> >>>>> >>>>> >>>>> >>>>First make sure you have the latest policy, via yum >>>> >>>>yum update selinux-policy-targeted >>>> >>>> >>>> >>>> >>>> >>>Check! >>> >>> >>> >>> >>> >>>>Next make sure httpd_unified is set >>>> >>>>setsebool -P httpd_unified 1 >>>> >>>> >>>> >>>> >>>Check; # sudo cat /etc/selinux/targeted/booleans >>>allow_ypbind=1 >>>dhcpd_disable_trans=0 >>>httpd_disable_trans=1 >>>httpd_enable_cgi=1 >>>httpd_enable_homedirs=1 >>>httpd_ssi_exec=1 >>>httpd_tty_comm=1 >>>httpd_unified=1 >>>mysqld_disable_trans=0 >>>named_disable_trans=0 >>>named_write_master_zones=0 >>>nscd_disable_trans=0 >>>ntpd_disable_trans=0 >>>portmap_disable_trans=0 >>>postgresql_disable_trans=0 >>>snmpd_disable_trans=0 >>>squid_disable_trans=0 >>>syslogd_disable_trans=0 >>>winbind_disable_trans=0 >>>ypbind_disable_trans=0 >>> >>> >>> >>> >>> >>>>Now try it. >>>> >>>> >>>> >>>> >>>Check (and I restarted httpd, to answer Colin's question) >>> >>> >>> >>> >>>>Look for AVC messages in /var/log/messages which will tell you what is >>>>being denied. >>>>http://fedora.redhat.com/docs/selinux-apache-fc3/ >>>>has a lot of information on settingup apache and SElinux. >>>> >>>> >>>> >>>> >>>Here we go from /var/log/messages: >>>Feb 2 23:23:13 localhost kernel: audit(1107404593.566:0): avc: denied >>>{ read } for pid=3792 exe=/usr/bin/perl name=tmp dev=hda2 ino=4243590 >>>scontext=root:system_r:httpd_sys_script_t >>>tcontext=system_u:object_r:tmp_t tclass=lnk_file >>> >>> >>> >>> >>> >>You would have to write policy at this point. Allowing scripts to read >>sym links off of /tmp would >>be considered dangerous. >> >>But this would a bug, since you have httpd_disable_trans set to 1, you >>should not be running as httpd_sys_script_t. >> >>selinux-policy-targeted-1.17.30-2.76 Will prevent this transition. >> >>I have put out a version on >>ftp://people.redhat.com/dwalsh/SELinux/FC3 >> >>This will go into Fedora-testing tonight. Please try it out and see if >>it fixes the transition problem. IE your scripts should be running under >>unconfined_t. >> >> >>Dan >> >> >> >> >>>So what can I do to make this work? >>> >>>Thanks, >>>Scott >>> >>> >>> >>> >>> >>>>Dan >>>> >>>> >>>> >>>> >>>> >>>> >> >> -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: FC3, Apache and CGI web app 2005-02-03 15:35 ` Daniel J Walsh @ 2005-02-03 15:48 ` Scott Cain 2005-02-03 15:52 ` Stephen Smalley 2005-02-03 15:59 ` Daniel J Walsh 0 siblings, 2 replies; 13+ messages in thread From: Scott Cain @ 2005-02-03 15:48 UTC (permalink / raw) To: Daniel J Walsh; +Cc: selinux On Thu, 2005-02-03 at 10:35 -0500, Daniel J Walsh wrote: > No but you could just change the context of tmp to httpd_sys_content_t > > chcon -R httpd_sys_content_t /var/www/html/gbrowse/tmp > > Which should fix it. > [scott@localhost gbrowse]$ sudo chcon -R httpd_sys_content_t /var/www/html/gbrowse/tmp /usr/bin/chcon: invalid context: httpd_sys_content_t Is there a typo in there somewhere? Also, is this documented somewhere? `man` and `info` are particularly terse and not very helpful. Thanks, Scott -- ------------------------------------------------------------------------ Scott Cain, Ph. D. cain@cshl.org GMOD Coordinator (http://www.gmod.org/) 216-392-3087 Cold Spring Harbor Laboratory -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: FC3, Apache and CGI web app 2005-02-03 15:48 ` Scott Cain @ 2005-02-03 15:52 ` Stephen Smalley 2005-02-03 15:59 ` Daniel J Walsh 1 sibling, 0 replies; 13+ messages in thread From: Stephen Smalley @ 2005-02-03 15:52 UTC (permalink / raw) To: Scott Cain; +Cc: Daniel J Walsh, selinux On Thu, 2005-02-03 at 10:48, Scott Cain wrote: > [scott@localhost gbrowse]$ sudo chcon -R httpd_sys_content_t /var/www/html/gbrowse/tmp > /usr/bin/chcon: invalid context: httpd_sys_content_t > > Is there a typo in there somewhere? Also, is this documented somewhere? > `man` and `info` are particularly terse and not very helpful. You need to specify -t if you are only specifying the type (vs. the entire security context), e.g. chcon -R -t httpd_sys_context_t ... -- Stephen Smalley <sds@epoch.ncsc.mil> National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: FC3, Apache and CGI web app 2005-02-03 15:48 ` Scott Cain 2005-02-03 15:52 ` Stephen Smalley @ 2005-02-03 15:59 ` Daniel J Walsh 2005-02-03 16:01 ` Scott Cain 1 sibling, 1 reply; 13+ messages in thread From: Daniel J Walsh @ 2005-02-03 15:59 UTC (permalink / raw) To: Scott Cain; +Cc: selinux [-- Attachment #1: Type: text/plain, Size: 690 bytes --] Scott Cain wrote: >On Thu, 2005-02-03 at 10:35 -0500, Daniel J Walsh wrote: > > >>No but you could just change the context of tmp to httpd_sys_content_t >> >>chcon -R httpd_sys_content_t /var/www/html/gbrowse/tmp >> >>Which should fix it. >> >> >> > > >[scott@localhost gbrowse]$ sudo chcon -R httpd_sys_content_t /var/www/html/gbrowse/tmp >/usr/bin/chcon: invalid context: httpd_sys_content_t > >Is there a typo in there somewhere? Also, is this documented somewhere? >`man` and `info` are particularly terse and not very helpful. > >Thanks, >Scott > > > > Oops chcon -R -t httpd_sys_content_t /var/www/html/gbrowse/tmp There should be a man page, there is one on my machine [-- Attachment #2: chcon --] [-- Type: text/plain, Size: 1549 bytes --] CHCON(1) User Commands CHCON(1) NAME chcon - change security context SYNOPSIS chcon [OPTION]... CONTEXT FILE... chcon [OPTION]... --reference=RFILE FILE... DESCRIPTION Change the security context of each FILE to CONTEXT. -c, --changes like verbose but report only when a change is made -h, --no-dereference affect symbolic links instead of any referenced file (available only on systems with lchown system call) -f, --silent, --quiet suppress most error messages -l, --range set range RANGE in the target security context --reference=RFILE use RFILE’s context instead of using a CONTEXT value -R, --recursive change files and directories recursively -r, --role set role ROLE in the target security context -t, --type set type TYPE in the target security context -u, --user set user USER in the target security context -v, --verbose output a diagnostic for every file processed --help display this help and exit --version output version information and exit REPORTING BUGS Report bugs to <email@host.com>. SEE ALSO The full documentation for chcon is maintained as a Texinfo manual. If the info and chcon programs are properly installed at your site, the command info chcon should give you access to the complete manual. chcon (coreutils) 5.0 July 2003 CHCON(1) ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: FC3, Apache and CGI web app 2005-02-03 15:59 ` Daniel J Walsh @ 2005-02-03 16:01 ` Scott Cain 2005-02-03 16:11 ` Daniel J Walsh 0 siblings, 1 reply; 13+ messages in thread From: Scott Cain @ 2005-02-03 16:01 UTC (permalink / raw) To: Daniel J Walsh; +Cc: selinux OK, now I get this: [scott@localhost gbrowse]$ sudo chcon -R -t httpd_sys_content_t /var/www/html/gbrowse/tmp /usr/bin/chcon: can't apply partial context to unlabeled file /var/www/html/gbrowse/tmp/yeast_chr1 About my comment about the man page: I was just saying that it doesn't say much about what options are available (like how would I know I need to use 'httpd_sys_content_t'?) I'm guessing this is further documented somewhere else. Thanks, Scott On Thu, 2005-02-03 at 10:59 -0500, Daniel J Walsh wrote: > Scott Cain wrote: > > >On Thu, 2005-02-03 at 10:35 -0500, Daniel J Walsh wrote: > > > > > >>No but you could just change the context of tmp to httpd_sys_content_t > >> > >>chcon -R httpd_sys_content_t /var/www/html/gbrowse/tmp > >> > >>Which should fix it. > >> > >> > >> > > > > > >[scott@localhost gbrowse]$ sudo chcon -R httpd_sys_content_t /var/www/html/gbrowse/tmp > >/usr/bin/chcon: invalid context: httpd_sys_content_t > > > >Is there a typo in there somewhere? Also, is this documented somewhere? > >`man` and `info` are particularly terse and not very helpful. > > > >Thanks, > >Scott > > > > > > > > > Oops > chcon -R -t httpd_sys_content_t /var/www/html/gbrowse/tmp > > There should be a man page, there is one on my machine > > > plain text document attachment (chcon) > CHCON(1) User Commands CHCON(1) > > > > NAME > chcon - change security context > > SYNOPSIS > chcon [OPTION]... CONTEXT FILE... > chcon [OPTION]... --reference=RFILE FILE... > > DESCRIPTION > Change the security context of each FILE to CONTEXT. > > -c, --changes > like verbose but report only when a change is made > > -h, --no-dereference > affect symbolic links instead of any referenced file (available > only on systems with lchown system call) > > -f, --silent, --quiet > suppress most error messages > > -l, --range > set range RANGE in the target security context > > --reference=RFILE > use RFILE’s context instead of using a CONTEXT value > > -R, --recursive > change files and directories recursively > > -r, --role > set role ROLE in the target security context > > -t, --type > set type TYPE in the target security context > > -u, --user > set user USER in the target security context > > -v, --verbose > output a diagnostic for every file processed > > --help display this help and exit > > --version > output version information and exit > > REPORTING BUGS > Report bugs to <email@host.com>. > > SEE ALSO > The full documentation for chcon is maintained as a Texinfo manual. > If the info and chcon programs are properly installed at your site, > the command > > info chcon > > should give you access to the complete manual. > > > > chcon (coreutils) 5.0 July 2003 CHCON(1) -- ------------------------------------------------------------------------ Scott Cain, Ph. D. cain@cshl.org GMOD Coordinator (http://www.gmod.org/) 216-392-3087 Cold Spring Harbor Laboratory -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: FC3, Apache and CGI web app 2005-02-03 16:01 ` Scott Cain @ 2005-02-03 16:11 ` Daniel J Walsh 2005-02-03 16:57 ` Scott Cain 0 siblings, 1 reply; 13+ messages in thread From: Daniel J Walsh @ 2005-02-03 16:11 UTC (permalink / raw) To: Scott Cain; +Cc: selinux Scott Cain wrote: >OK, now I get this: > >[scott@localhost gbrowse]$ sudo chcon -R -t httpd_sys_content_t /var/www/html/gbrowse/tmp >/usr/bin/chcon: can't apply partial context to unlabeled file /var/www/html/gbrowse/tmp/yeast_chr1 > > > Has this machine been labeled or booted with selinux=0? You need to relabel the system. touch /.autorelabel reboot >About my comment about the man page: I was just saying that it doesn't >say much about what options are available (like how would I know I need >to use 'httpd_sys_content_t'?) I'm guessing this is further documented >somewhere else. > >Thanks, >Scott > >On Thu, 2005-02-03 at 10:59 -0500, Daniel J Walsh wrote: > > >>Scott Cain wrote: >> >> >> >>>On Thu, 2005-02-03 at 10:35 -0500, Daniel J Walsh wrote: >>> >>> >>> >>> >>>>No but you could just change the context of tmp to httpd_sys_content_t >>>> >>>>chcon -R httpd_sys_content_t /var/www/html/gbrowse/tmp >>>> >>>>Which should fix it. >>>> >>>> >>>> >>>> >>>> >>>[scott@localhost gbrowse]$ sudo chcon -R httpd_sys_content_t /var/www/html/gbrowse/tmp >>>/usr/bin/chcon: invalid context: httpd_sys_content_t >>> >>>Is there a typo in there somewhere? Also, is this documented somewhere? >>>`man` and `info` are particularly terse and not very helpful. >>> >>>Thanks, >>>Scott >>> >>> >>> >>> >>> >>> >>Oops >>chcon -R -t httpd_sys_content_t /var/www/html/gbrowse/tmp >> >>There should be a man page, there is one on my machine >> >> >>plain text document attachment (chcon) >>CHCON(1) User Commands CHCON(1) >> >> >> >>NAME >> chcon - change security context >> >>SYNOPSIS >> chcon [OPTION]... CONTEXT FILE... >> chcon [OPTION]... --reference=RFILE FILE... >> >>DESCRIPTION >> Change the security context of each FILE to CONTEXT. >> >> -c, --changes >> like verbose but report only when a change is made >> >> -h, --no-dereference >> affect symbolic links instead of any referenced file (available >> only on systems with lchown system call) >> >> -f, --silent, --quiet >> suppress most error messages >> >> -l, --range >> set range RANGE in the target security context >> >> --reference=RFILE >> use RFILE’s context instead of using a CONTEXT value >> >> -R, --recursive >> change files and directories recursively >> >> -r, --role >> set role ROLE in the target security context >> >> -t, --type >> set type TYPE in the target security context >> >> -u, --user >> set user USER in the target security context >> >> -v, --verbose >> output a diagnostic for every file processed >> >> --help display this help and exit >> >> --version >> output version information and exit >> >>REPORTING BUGS >> Report bugs to <email@host.com>. >> >>SEE ALSO >> The full documentation for chcon is maintained as a Texinfo manual. >> If the info and chcon programs are properly installed at your site, >> the command >> >> info chcon >> >> should give you access to the complete manual. >> >> >> >>chcon (coreutils) 5.0 July 2003 CHCON(1) >> >> -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: FC3, Apache and CGI web app 2005-02-03 16:11 ` Daniel J Walsh @ 2005-02-03 16:57 ` Scott Cain 0 siblings, 0 replies; 13+ messages in thread From: Scott Cain @ 2005-02-03 16:57 UTC (permalink / raw) To: Daniel J Walsh; +Cc: selinux Dan, I did the relabel/reboot and was able to change the context, now my next question: was changing the context of the GBrowse tmp directory supposed to allow it to run with SELinux enabled for httpd? ie: httpd_disable_trans=0 httpd_enable_cgi=1 httpd_enable_homedirs=1 httpd_ssi_exec=1 httpd_tty_comm=1 httpd_unified=1 Because it doesn't; I'm back to 500 errors. Is what you meant instead that I have to change the context and make it writable only by the owner (ie, apache)? Thanks for your patience, Scott On Thu, 2005-02-03 at 11:11 -0500, Daniel J Walsh wrote: > Scott Cain wrote: > > >OK, now I get this: > > > >[scott@localhost gbrowse]$ sudo chcon -R -t httpd_sys_content_t /var/www/html/gbrowse/tmp > >/usr/bin/chcon: can't apply partial context to unlabeled file /var/www/html/gbrowse/tmp/yeast_chr1 > > > > > > > Has this machine been labeled or booted with selinux=0? You need to > relabel the system. > > touch /.autorelabel > reboot > > > >About my comment about the man page: I was just saying that it doesn't > >say much about what options are available (like how would I know I need > >to use 'httpd_sys_content_t'?) I'm guessing this is further documented > >somewhere else. > > > >Thanks, > >Scott > > > >On Thu, 2005-02-03 at 10:59 -0500, Daniel J Walsh wrote: > > > > > >>Scott Cain wrote: > >> > >> > >> > >>>On Thu, 2005-02-03 at 10:35 -0500, Daniel J Walsh wrote: > >>> > >>> > >>> > >>> > >>>>No but you could just change the context of tmp to httpd_sys_content_t > >>>> > >>>>chcon -R httpd_sys_content_t /var/www/html/gbrowse/tmp > >>>> > >>>>Which should fix it. > >>>> > >>>> > >>>> > >>>> > >>>> > >>>[scott@localhost gbrowse]$ sudo chcon -R httpd_sys_content_t /var/www/html/gbrowse/tmp > >>>/usr/bin/chcon: invalid context: httpd_sys_content_t > >>> > >>>Is there a typo in there somewhere? Also, is this documented somewhere? > >>>`man` and `info` are particularly terse and not very helpful. > >>> > >>>Thanks, > >>>Scott > >>> > >>> > >>> > >>> > >>> > >>> > >>Oops > >>chcon -R -t httpd_sys_content_t /var/www/html/gbrowse/tmp > >> > >>There should be a man page, there is one on my machine > >> > >> > >>plain text document attachment (chcon) > >>CHCON(1) User Commands CHCON(1) > >> > >> > >> > >>NAME > >> chcon - change security context > >> > >>SYNOPSIS > >> chcon [OPTION]... CONTEXT FILE... > >> chcon [OPTION]... --reference=RFILE FILE... > >> > >>DESCRIPTION > >> Change the security context of each FILE to CONTEXT. > >> > >> -c, --changes > >> like verbose but report only when a change is made > >> > >> -h, --no-dereference > >> affect symbolic links instead of any referenced file (available > >> only on systems with lchown system call) > >> > >> -f, --silent, --quiet > >> suppress most error messages > >> > >> -l, --range > >> set range RANGE in the target security context > >> > >> --reference=RFILE > >> use RFILE’s context instead of using a CONTEXT value > >> > >> -R, --recursive > >> change files and directories recursively > >> > >> -r, --role > >> set role ROLE in the target security context > >> > >> -t, --type > >> set type TYPE in the target security context > >> > >> -u, --user > >> set user USER in the target security context > >> > >> -v, --verbose > >> output a diagnostic for every file processed > >> > >> --help display this help and exit > >> > >> --version > >> output version information and exit > >> > >>REPORTING BUGS > >> Report bugs to <email@host.com>. > >> > >>SEE ALSO > >> The full documentation for chcon is maintained as a Texinfo manual. > >> If the info and chcon programs are properly installed at your site, > >> the command > >> > >> info chcon > >> > >> should give you access to the complete manual. > >> > >> > >> > >>chcon (coreutils) 5.0 July 2003 CHCON(1) > >> > >> > > -- ------------------------------------------------------------------------ Scott Cain, Ph. D. cain@cshl.org GMOD Coordinator (http://www.gmod.org/) 216-392-3087 Cold Spring Harbor Laboratory -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: FC3, Apache and CGI web app 2005-02-02 21:07 FC3, Apache and CGI web app Scott Cain 2005-02-02 23:46 ` Daniel J Walsh @ 2005-02-03 3:01 ` Colin Walters 1 sibling, 0 replies; 13+ messages in thread From: Colin Walters @ 2005-02-03 3:01 UTC (permalink / raw) To: selinux Scott Cain wrote: > Hello, > > I am one of the authors of a web application that is widely used in my > community, GBrowse ( http://www.gmod.org/ggb/ ). We've started > receiving bug reports from users who are trying to install and run it on > Fedora Core 3 systems with SELinux installed and enabled with the > default values from the distribution. > > To do some testing, I've installed FC3 and GBrowse and run into the same > problems. The only way I've been able to get GBrowse to run is to > disable SELinux. There are a few reasons I'd rather not tell my users > to do that, so I am looking for a way to leave SELinux enabled and still > run GBrowse. The first thing I tried was to set httpd_disable_trans=1 > (which the GUI calls "Disable SELinux protection for httpd daemon"), but > that doesn't help. Are there any parameters that I can add > to /etc/selinux/targeted/booleans to allow GBrowse to work? And did you restart Apache with "service httpd restart"? > As far as I can tell, the reason SELinux doesn't like GBrowse is that it > is a cgi that tries to read a directory and files in the apache conf > directory. Yeah, the policy doesn't allow that by default. The httpd_sys_script_t domain just tries to capture a "typical" class of scripts; but in general it's going to either be too strong or too weak for particular CGI programs. -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 13+ messages in thread
end of thread, other threads:[~2005-02-03 17:00 UTC | newest] Thread overview: 13+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2005-02-02 21:07 FC3, Apache and CGI web app Scott Cain 2005-02-02 23:46 ` Daniel J Walsh 2005-02-03 4:30 ` Scott Cain 2005-02-03 14:51 ` Daniel J Walsh 2005-02-03 15:25 ` Scott Cain 2005-02-03 15:35 ` Daniel J Walsh 2005-02-03 15:48 ` Scott Cain 2005-02-03 15:52 ` Stephen Smalley 2005-02-03 15:59 ` Daniel J Walsh 2005-02-03 16:01 ` Scott Cain 2005-02-03 16:11 ` Daniel J Walsh 2005-02-03 16:57 ` Scott Cain 2005-02-03 3:01 ` Colin Walters
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.