Selinux and Apache in chroot question....

Selinux and Apache in chroot question....

[fred.schnittke]

[-- Attachment #1: Type: text/plain, Size: 1069 bytes --]

Hi:

Not sure if this is the right place to post a question like this, but I'll 
give it a shot.

I've been following the "Guide to the Secure Configuration of Red Hat 
Enterprise Linux 5" (which has been a great resource) in setting up our 
new server. However I ran into problems chrooting, apache, php and mysql. 
So it was suggested to remove the applications and compile from source. 
After that was done, I moved the three applications to my chroot, and with 
a bit of effort, it all works. The only thing is, I don't think SELINUX is 
monitoring any of the files in the chroot. For instance, it still thinks 
the web directory is in /var/www/ instead of /chroot/httpd/usr/local/www.

When I run the following command: 

ps -eZ | egrep "initrc" | egrep -vw "tr|ps|egrep|bash|awk" | tr ':' ' ' | 
awk '{ print $NF }'

I get this output:

mysqld
httpd
httpd
httpd
httpd
httpd
httpd
httpd
httpd
 
So my question is:

Is there a (an easy) way to confine these daemons?

 
Regards, 
 
 
Fred Schnittke  MCSE, MCP,
Network Engineer
VETERINARY PURCHASING company limited

[-- Attachment #2: Type: text/html, Size: 2195 bytes --]

Re: Selinux and Apache in chroot question....

[Dominick Grift]

[-- Attachment #1: Type: text/plain, Size: 2912 bytes --]

On Fri, May 07, 2010 at 04:25:35PM -0400, fred.schnittke@vpcl.on.ca wrote:
> Hi:
> 
> Not sure if this is the right place to post a question like this, but I'll 
> give it a shot.
> 
> I've been following the "Guide to the Secure Configuration of Red Hat 
> Enterprise Linux 5" (which has been a great resource) in setting up our 
> new server. However I ran into problems chrooting, apache, php and mysql. 
> So it was suggested to remove the applications and compile from source. 
> After that was done, I moved the three applications to my chroot, and with 
> a bit of effort, it all works. The only thing is, I don't think SELINUX is 
> monitoring any of the files in the chroot. For instance, it still thinks 
> the web directory is in /var/www/ instead of /chroot/httpd/usr/local/www.
> 
> When I run the following command: 
> 
> ps -eZ | egrep "initrc" | egrep -vw "tr|ps|egrep|bash|awk" | tr ':' ' ' | 
> awk '{ print $NF }'

SELinux is much about the labeling of objects. File context specifications, specify what label to assign to what object in what location.
By chrooting apache and mysql, you change their objects locations. Which in this case SElinux seems not aware about.

The only objects that remain in place is the services init script. When init runs an init script the init domain, domain transitions to the init script domain.
The init script domain would usually transition to the service domain, if the service domain executable file is properly labeled.

The init script domain is unrestricted and unprotected.

So what is happening is the following.

You have moved objects owned by apache and mysql to a new mountpoint called /chroot. 
The command: semanage fcontext -l | grep /chroot, tells us that there is currently no context specified for this location.

Thus the location would be labeled either default_t or root_t.

you start the service, init transitions to the unconfined init script domain initrc_t and initrc_t, the init script executes the apache /mysql executable file which is somewhere in /chroot and labeled with a generic type for unspecified locations. Thus initrc_t does not domain transition to the apache/mysql domain as it would usually do if the apache/mysql executable files were labeled properly. So you end up with a chrooted services but you lost selinux protection.


To solve this issue you must change the labeling to reflect their usual location. You can list contexts of the various object using semanage fcontext -l and use similar command to add, modify, delete file context entries.



> 
> I get this output:
> 
> mysqld
> httpd
> httpd
> httpd
> httpd
> httpd
> httpd
> httpd
> httpd
>  
> So my question is:
> 
> Is there a (an easy) way to confine these daemons?
> 
>  
> Regards, 
>  
>  
> Fred Schnittke  MCSE, MCP,
> Network Engineer
> VETERINARY PURCHASING company limited

[-- Attachment #2: Type: application/pgp-signature, Size: 198 bytes --]

Re: Selinux and Apache in chroot question....

[fred.schnittke]

[-- Attachment #1: Type: text/plain, Size: 3422 bytes --]

Thanks Dominick:

So do I have to go through and see what the file context(s) were for the 
files in the old locations, then manually make the corresponding files in 
the chroot the same? I don't suppose doing a relabel of the entire OS 
would help me out?

Thanks....
 
 
Regards, 
 
 
Fred Schnittke  MCSE, MCP,
Network Engineer
VETERINARY PURCHASING company limited



Dominick Grift <domg472@gmail.com> 
Sent by: owner-selinux@tycho.nsa.gov
05/08/2010 03:59 AM

To
SELinux@tycho.nsa.gov
cc

Subject
Re: Selinux and Apache in chroot question....






On Fri, May 07, 2010 at 04:25:35PM -0400, fred.schnittke@vpcl.on.ca wrote:
> Hi:
> 
> Not sure if this is the right place to post a question like this, but 
I'll 
> give it a shot.
> 
> I've been following the "Guide to the Secure Configuration of Red Hat 
> Enterprise Linux 5" (which has been a great resource) in setting up our 
> new server. However I ran into problems chrooting, apache, php and 
mysql. 
> So it was suggested to remove the applications and compile from source. 
> After that was done, I moved the three applications to my chroot, and 
with 
> a bit of effort, it all works. The only thing is, I don't think SELINUX 
is 
> monitoring any of the files in the chroot. For instance, it still thinks 

> the web directory is in /var/www/ instead of 
/chroot/httpd/usr/local/www.
> 
> When I run the following command: 
> 
> ps -eZ | egrep "initrc" | egrep -vw "tr|ps|egrep|bash|awk" | tr ':' ' ' 
| 
> awk '{ print $NF }'

SELinux is much about the labeling of objects. File context 
specifications, specify what label to assign to what object in what 
location.
By chrooting apache and mysql, you change their objects locations. Which 
in this case SElinux seems not aware about.

The only objects that remain in place is the services init script. When 
init runs an init script the init domain, domain transitions to the init 
script domain.
The init script domain would usually transition to the service domain, if 
the service domain executable file is properly labeled.

The init script domain is unrestricted and unprotected.

So what is happening is the following.

You have moved objects owned by apache and mysql to a new mountpoint 
called /chroot. 
The command: semanage fcontext -l | grep /chroot, tells us that there is 
currently no context specified for this location.

Thus the location would be labeled either default_t or root_t.

you start the service, init transitions to the unconfined init script 
domain initrc_t and initrc_t, the init script executes the apache /mysql 
executable file which is somewhere in /chroot and labeled with a generic 
type for unspecified locations. Thus initrc_t does not domain transition 
to the apache/mysql domain as it would usually do if the apache/mysql 
executable files were labeled properly. So you end up with a chrooted 
services but you lost selinux protection.


To solve this issue you must change the labeling to reflect their usual 
location. You can list contexts of the various object using semanage 
fcontext -l and use similar command to add, modify, delete file context 
entries.



> 
> I get this output:
> 
> mysqld
> httpd
> httpd
> httpd
> httpd
> httpd
> httpd
> httpd
> httpd
> 
> So my question is:
> 
> Is there a (an easy) way to confine these daemons?
> 
> 
> Regards, 
> 
> 
> Fred Schnittke  MCSE, MCP,
> Network Engineer
> VETERINARY PURCHASING company limited


[-- Attachment #2: Type: text/html, Size: 4994 bytes --]

Re: Selinux and Apache in chroot question....

[fred.schnittke]

[-- Attachment #1: Type: text/plain, Size: 2368 bytes --]

Hi:

Mr. Walsh and Mr. Grift have replied to some of my earlier questions 
regarding SELinux and Apache on a RedHat server, thank-you very much. 
However, I'm still not able to get things up and running. Here's a little 
history on what I've been trying to do:

I've been following the documentation in the NSA's "Guide to the Secure 
Configuration of Red Hat Enterprise Linux 5". There they do mention that 
you should chroot apache. We are also using MySQL and PHP and their 
documentation does not mention anything about chrooting mysql, and to be 
honest, I just could not get the RedHat pre-compiled version of MySQL to 
chroot, adn work with the chroot'd Apache. So I took it upon myself to 
remove the pre-compiled rpm packages for Apache, MySQL, and PHP, in favor 
of downloading and compiling those packages myself and running them in the 
chroot's

That worked out ok, but now to enable SELinux (and I did try your 
recommendations Daniel). it seems you have to go through each of the 
directories, sub-directories and files in the chroots, and set the context 
to match that of those in a typical RedHat install:

drwxr-xr-x  root root system_u:object_r:device_t:s0    /chroot/dev
drwxr-xr-x  root root system_u:object_r:tmp_t:s0       /chroot/etc
drwxr-xr-x  root root system_u:object_r:lib_t:s0       /chroot/lib
drwxr-xr-x  root root system_u:object_r:tmp_t:s0       /chroot/tmp
drwxr-xr-x  root root system_u:object_r:usr_t:s0       /chroot/usr
drwxr-xr-x  root root system_u:object_r:var_t:s0       /chroot/var
and the list goes on.....

I did that for every file, directory, etc, using chcon, then added the 
contexts to SELinux with semanage.

That's fine and dandy. But now when the server reboots Apache doesn't 
start. I can start it manually by running "service httpd start" (which is 
a modified file for the chroot environment), but it runs httpd unconfined. 
So I fooled around with: "run_init /etc/init.d/httpd start", but that asks 
me for my password, then gives me an error message:

usr/local/www/bin/httpd: error while loading shared libraries: 
libssl.so.6: cannot open shared object file: Permission denied

So, has anyone actually run Apache, MySQL, and PHP in chrooted jails in 
conjunction with SELinux?

I thought I was just following the recommendations in the NSA guide, but 
man it sure is tough.....



Thanks,


Fred Schnittke

[-- Attachment #2: Type: text/html, Size: 3297 bytes --]

Re: Selinux and Apache in chroot question....

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/11/2010 02:57 PM, fred.schnittke@vpcl.on.ca wrote:
> Hi:
> 
> Mr. Walsh and Mr. Grift have replied to some of my earlier questions 
> regarding SELinux and Apache on a RedHat server, thank-you very much. 
> However, I'm still not able to get things up and running. Here's a little 
> history on what I've been trying to do:
> 
> I've been following the documentation in the NSA's "Guide to the Secure 
> Configuration of Red Hat Enterprise Linux 5". There they do mention that 
> you should chroot apache. We are also using MySQL and PHP and their 
> documentation does not mention anything about chrooting mysql, and to be 
> honest, I just could not get the RedHat pre-compiled version of MySQL to 
> chroot, adn work with the chroot'd Apache. So I took it upon myself to 
> remove the pre-compiled rpm packages for Apache, MySQL, and PHP, in favor 
> of downloading and compiling those packages myself and running them in the 
> chroot's
> 
> That worked out ok, but now to enable SELinux (and I did try your 
> recommendations Daniel). it seems you have to go through each of the 
> directories, sub-directories and files in the chroots, and set the context 
> to match that of those in a typical RedHat install:
> 
> drwxr-xr-x  root root system_u:object_r:device_t:s0    /chroot/dev
> drwxr-xr-x  root root system_u:object_r:tmp_t:s0       /chroot/etc
> drwxr-xr-x  root root system_u:object_r:lib_t:s0       /chroot/lib
> drwxr-xr-x  root root system_u:object_r:tmp_t:s0       /chroot/tmp
> drwxr-xr-x  root root system_u:object_r:usr_t:s0       /chroot/usr
> drwxr-xr-x  root root system_u:object_r:var_t:s0       /chroot/var
> and the list goes on.....
> 
> I did that for every file, directory, etc, using chcon, then added the 
> contexts to SELinux with semanage.
> 
> That's fine and dandy. But now when the server reboots Apache doesn't 
> start. I can start it manually by running "service httpd start" (which is 
> a modified file for the chroot environment), but it runs httpd unconfined. 
> So I fooled around with: "run_init /etc/init.d/httpd start", but that asks 
> me for my password, then gives me an error message:
> 
> usr/local/www/bin/httpd: error while loading shared libraries: 
> libssl.so.6: cannot open shared object file: Permission denied
> 
> So, has anyone actually run Apache, MySQL, and PHP in chrooted jails in 
> conjunction with SELinux?
> 
> I thought I was just following the recommendations in the NSA guide, but 
> man it sure is tough.....
> 
> 
> 
> Thanks,
> 
> 
> Fred Schnittke

I think the problem is /chroot needs to have a label root_t

apache is not allowed to search through default_t

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkvpxBUACgkQrlYvE4MpobMiUACg3UKvc47qmOqXrMaCJuVWY3UI
jWcAoMcTN6ItjEXguPX9zTHiPhpvW3Rl
=w6/l
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Selinux and Apache in chroot question....

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/07/2010 04:25 PM, fred.schnittke@vpcl.on.ca wrote:
> Hi:
> 
> Not sure if this is the right place to post a question like this, but I'll 
> give it a shot.
> 
> I've been following the "Guide to the Secure Configuration of Red Hat 
> Enterprise Linux 5" (which has been a great resource) in setting up our 
> new server. However I ran into problems chrooting, apache, php and mysql. 
> So it was suggested to remove the applications and compile from source. 
> After that was done, I moved the three applications to my chroot, and with 
> a bit of effort, it all works. The only thing is, I don't think SELINUX is 
> monitoring any of the files in the chroot. For instance, it still thinks 
> the web directory is in /var/www/ instead of /chroot/httpd/usr/local/www.
> 
> When I run the following command: 
> 
> ps -eZ | egrep "initrc" | egrep -vw "tr|ps|egrep|bash|awk" | tr ':' ' ' | 
> awk '{ print $NF }'
> 
> I get this output:
> 
> mysqld
> httpd
> httpd
> httpd
> httpd
> httpd
> httpd
> httpd
> httpd
>  
> So my question is:
> 
> Is there a (an easy) way to confine these daemons?
> 
>  
> Regards, 
>  
>  
> Fred Schnittke  MCSE, MCP,
> Network Engineer
> VETERINARY PURCHASING company limited

Yes, you need to make sure the labeling is correct.

semanage fcontext -a -t httpd_exec_t PATHINCHROOT/httpd
semanage fcontext -a -t mysqld_exec_t PATHINCHROOT/mysqld

You also need to do this for the data in the chroot.

semanage fcontext -a -t httpd_sys_content_t PATHINCHROOTAPACHECONTENT


Once you have all the labeling of the chroot setup you can run
restorecon on it to put the labels on disk.

restorecon -R -v PATHTOCHROOT
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkvoFMIACgkQrlYvE4MpobMnCgCgpUA1rZwHguSD3zC4WXJBMbbK
dKAAnRbj+rjJ/bLp8nQOE6vkgxWBXQXR
=GYfA
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.