Propper labeling of files under /var/www

Propper labeling of files under /var/www

[Stefan Schulze Frielinghaus]

How do you label files under /var/www? I created a policy with the
following context

/var/www/wiki(/.*)?
gen_context(system_u:object_r:httpd_wiki_script_ro_t,s0)

Loaded the policy and relabeled /var/www but the context
of /var/www/wiki is still httpd_sys_content_t. Checked the
file /etc/selinux/targeted/contexts/files/file_contexts twice and the
entry for /var/www/wiki exists (it's under the /var/www entry). The
relabel was done via fixfiles and restorecon and even a reboot
(touch /.autorelabel).

I'm out of ideas ;-) Any suggestions?

Best regards
Stefan

PS: I'm using Fedora 7 (latest updates) with the targeted policy
(2.6.4-61.fc7)


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Propper labeling of files under /var/www

[Stephen Smalley]

On Tue, 2007-12-18 at 18:45 +0000, Stefan Schulze Frielinghaus wrote:
> How do you label files under /var/www? I created a policy with the
> following context
> 
> /var/www/wiki(/.*)?
> gen_context(system_u:object_r:httpd_wiki_script_ro_t,s0)
> 
> Loaded the policy and relabeled /var/www but the context
> of /var/www/wiki is still httpd_sys_content_t. Checked the
> file /etc/selinux/targeted/contexts/files/file_contexts twice and the
> entry for /var/www/wiki exists (it's under the /var/www entry). The
> relabel was done via fixfiles and restorecon and even a reboot
> (touch /.autorelabel).
> 
> I'm out of ideas ;-) Any suggestions?
> 
> Best regards
> Stefan
> 
> PS: I'm using Fedora 7 (latest updates) with the targeted policy
> (2.6.4-61.fc7)

Try restorecon -FRv /var/www

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Propper labeling of files under /var/www

[Stefan Schulze Frielinghaus]

On Tue, 2007-12-18 at 13:55 -0500, Stephen Smalley wrote:
[...]
> Try restorecon -FRv /var/www

Yeah that solved the problem. The -F option is a little bit tricky ;-)
Never expected something like that.

Thanks

Stefan


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Propper labeling of files under /var/www

[Stephen Smalley]

On Wed, 2007-12-19 at 10:13 +0000, Stefan Schulze Frielinghaus wrote:
> On Tue, 2007-12-18 at 13:55 -0500, Stephen Smalley wrote:
> [...]
> > Try restorecon -FRv /var/www
> 
> Yeah that solved the problem. The -F option is a little bit tricky ;-)
> Never expected something like that.

/etc/selinux/targeted/contexts/customizable_types was created to allow
programs like restorecon to omit files with certain types from being
relabeled by default, so that admin customizations wouldn't be lost.
The httpd-related types are a common case of this, where the admin wants
to manually manage the type under the web root and not have them
clobbered.  As to whether it still makes sense when we have semanage
fcontext, I'm not sure.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Propper labeling of files under /var/www

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Stephen Smalley wrote:
> On Wed, 2007-12-19 at 10:13 +0000, Stefan Schulze Frielinghaus wrote:
>> On Tue, 2007-12-18 at 13:55 -0500, Stephen Smalley wrote:
>> [...]
>>> Try restorecon -FRv /var/www
>> Yeah that solved the problem. The -F option is a little bit tricky ;-)
>> Never expected something like that.
> 
> /etc/selinux/targeted/contexts/customizable_types was created to allow
> programs like restorecon to omit files with certain types from being
> relabeled by default, so that admin customizations wouldn't be lost.
> The httpd-related types are a common case of this, where the admin wants
> to manually manage the type under the web root and not have them
> clobbered.  As to whether it still makes sense when we have semanage
> fcontext, I'm not sure.
> 
Yes I would like to remove it, it is more trouble then it is worth at
this point.   semanage is the way things should be customized.  We
should remove it from Fedora 9 and going forward.

Added munin cgi defitions to rawhide, but update does not fix them since
they were already labeled httpd_sys_content_t.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFHaTNSrlYvE4MpobMRAqADAKDXIKh9MxP0V+D/W23Y/mGXgUtTsACgpZXt
rrcNGgAnKeHFWxPk4n/U7do=
=dt6Y
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Propper labeling of files under /var/www

[Stephen Smalley]

On Wed, 2007-12-19 at 10:05 -0500, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Stephen Smalley wrote:
> > On Wed, 2007-12-19 at 10:13 +0000, Stefan Schulze Frielinghaus wrote:
> >> On Tue, 2007-12-18 at 13:55 -0500, Stephen Smalley wrote:
> >> [...]
> >>> Try restorecon -FRv /var/www
> >> Yeah that solved the problem. The -F option is a little bit tricky ;-)
> >> Never expected something like that.
> > 
> > /etc/selinux/targeted/contexts/customizable_types was created to allow
> > programs like restorecon to omit files with certain types from being
> > relabeled by default, so that admin customizations wouldn't be lost.
> > The httpd-related types are a common case of this, where the admin wants
> > to manually manage the type under the web root and not have them
> > clobbered.  As to whether it still makes sense when we have semanage
> > fcontext, I'm not sure.
> > 
> Yes I would like to remove it, it is more trouble then it is worth at
> this point.   semanage is the way things should be customized.  We
> should remove it from Fedora 9 and going forward.
> 
> Added munin cgi defitions to rawhide, but update does not fix them since
> they were already labeled httpd_sys_content_t.

So just ship an empty customizable_types file, and restorecon/setfiles
will relabel everything (aside from what is excluded via <<none>>).

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Propper labeling of files under /var/www

[Stefan Schulze Frielinghaus]

[-- Attachment #1: Type: text/plain, Size: 1328 bytes --]

On Wed, 2007-12-19 at 09:12 -0500, Stephen Smalley wrote:
> On Wed, 2007-12-19 at 10:13 +0000, Stefan Schulze Frielinghaus wrote:
> > On Tue, 2007-12-18 at 13:55 -0500, Stephen Smalley wrote:
> > [...]
> > > Try restorecon -FRv /var/www
> > 
> > Yeah that solved the problem. The -F option is a little bit tricky ;-)
> > Never expected something like that.
> 
> /etc/selinux/targeted/contexts/customizable_types was created to allow
> programs like restorecon to omit files with certain types from being
> relabeled by default, so that admin customizations wouldn't be lost.
> The httpd-related types are a common case of this, where the admin wants
> to manually manage the type under the web root and not have them
> clobbered.  As to whether it still makes sense when we have semanage
> fcontext, I'm not sure.

I think at least from an user point of view it is misleading. I just
wanted to create a policy for some CGI/PHP webserver stuff which I could
role out to my clients. And if a client runs into some trouble, gets
some AVC messages etc., he just uses "fixfiles relabel" or even
"touch /.autorelabel && reboot". I think that's the normal behavior of a
non SELinux hacker.

So in the end removing it (or just ship an empty customizable_types file
like you pointed out) would be a good thing.

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]