* htpasswd file outside of standard Apache location
@ 2011-06-29 16:57 Paul Menzel
2011-06-29 17:15 ` Dominick Grift
0 siblings, 1 reply; 4+ messages in thread
From: Paul Menzel @ 2011-06-29 16:57 UTC (permalink / raw)
To: selinux
[-- Attachment #1: Type: text/plain, Size: 1348 bytes --]
Dear SELinux folks,
I am running Debian Squeeze with SELinux and Apache.
In Apache I configured a secured section using `AuthType Basic` with
`AuthUserFile /srv/site.htpasswd`. It works when the state of the system
is permissive. When in enforcing state the following error is logged.
type=AVC msg=audit(1308090063.174:17742): avc: denied { getattr } for pid=1412 comm="apache2" path="/srv/www/www.example.net/foo/bar.tar.gz" dev=xvda ino=425775 scontext=unconfined_u:system_r:httpd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file
type=SYSCALL msg=audit(1308090063.174:17742): arch=c000003e syscall=6 success=no exit=-13 a0=7f9da985eb38 a1=7fff8da1e6f0 a2=7fff8da1e6f0 a3=1 items=0 ppid=29237 pid=1412 auid=4294967295 uid=33 gid=33 euid=33 suid=33 fsuid=33 egid=33 sgid=33 fsgid=33 tty=(none) ses=4294967295 comm="apache2" exe="/usr/lib/apache2/mpm-prefork/apache2" subj=unconfined_u:system_r:httpd_t:s0-s0:c0.c1023 key=(null)
Is there a recommended location for these password files or a
recommended way what policies to set. Not being sure of the correct
search term for this I found plenty of sites regarding SELinux and
Apache but nothing related to my problem in the results. If you could
point me to some specific documentation that would be great too.
Thanks,
Paul
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 198 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: htpasswd file outside of standard Apache location
2011-06-29 16:57 htpasswd file outside of standard Apache location Paul Menzel
@ 2011-06-29 17:15 ` Dominick Grift
2011-06-29 23:01 ` context of files not adapted to new directory when moved (was: htpasswd file outside of standard Apache location) Paul Menzel
0 siblings, 1 reply; 4+ messages in thread
From: Dominick Grift @ 2011-06-29 17:15 UTC (permalink / raw)
To: Paul Menzel; +Cc: selinux
[-- Attachment #1: Type: text/plain, Size: 2568 bytes --]
On Wed, 2011-06-29 at 18:57 +0200, Paul Menzel wrote:
> Dear SELinux folks,
>
>
> I am running Debian Squeeze with SEL
> inux and Apache.
>
> In Apache I configured a secured section using `AuthType Basic` with
> `AuthUserFile /srv/site.htpasswd`. It works when the state of the system
> is permissive. When in enforcing state the following error is logged.
>
> type=AVC msg=audit(1308090063.174:17742): avc: denied { getattr } for pid=1412 comm="apache2" path="/srv/www/www.example.net/foo/bar.tar.gz" dev=xvda ino=425775 scontext=unconfined_u:system_r:httpd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file
> type=SYSCALL msg=audit(1308090063.174:17742): arch=c000003e syscall=6 success=no exit=-13 a0=7f9da985eb38 a1=7fff8da1e6f0 a2=7fff8da1e6f0 a3=1 items=0 ppid=29237 pid=1412 auid=4294967295 uid=33 gid=33 euid=33 suid=33 fsuid=33 egid=33 sgid=33 fsgid=33 tty=(none) ses=4294967295 comm="apache2" exe="/usr/lib/apache2/mpm-prefork/apache2" subj=unconfined_u:system_r:httpd_t:s0-s0:c0.c1023 key=(null)
>
> Is there a recommended location for these password files or a
> recommended way what policies to set. Not being sure of the correct
> search term for this I found plenty of sites regarding SELinux and
> Apache but nothing related to my problem in the results. If you could
> point me to some specific documentation that would be great too.
>
>
> Thanks,
>
> Paul
If you are using a different location for your web server then it is
best to clone the web server locations file contexts.
In fedora the semanage command has a handy option to do this very
easily:
# semanage fcontext -a -e /var/www /srv/www
# restorecon -R -v /srv/www
this will clone all the file context specifications for /var/www and its
children to apply for /srv/www as well
If debian does not support this option then you would do it manually.
1. to list the file context specs for /var/www and its children:
# semanage fcontext -l | grep /var/www
2. an example of how you would add a file context spec for /var/www:
# semanage fcontext -a -t httpd_sys_content_t "/srv/www(/.*)?"
# restorecon -R -v /srv/www
(This is just one example)
The issue is that objects are labelled with contexts which include types
which are used for type enforcement. Each type has a set of properties
that matches the characteristics of the object in relation to the
subjects that needs to interact with it.
So it is important that each object gets the proper context.
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 198 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* context of files not adapted to new directory when moved (was: htpasswd file outside of standard Apache location)
2011-06-29 17:15 ` Dominick Grift
@ 2011-06-29 23:01 ` Paul Menzel
2011-07-01 13:46 ` Stephen Smalley
0 siblings, 1 reply; 4+ messages in thread
From: Paul Menzel @ 2011-06-29 23:01 UTC (permalink / raw)
To: selinux
[-- Attachment #1: Type: text/plain, Size: 4681 bytes --]
Am Mittwoch, den 29.06.2011, 19:15 +0200 schrieb Dominick Grift:
> On Wed, 2011-06-29 at 18:57 +0200, Paul Menzel wrote:
> > I am running Debian Squeeze with SELinux and Apache.
> >
> > In Apache I configured a secured section using `AuthType Basic` with
> > `AuthUserFile /srv/site.htpasswd`. It works when the state of the system
> > is permissive. When in enforcing state the following error is logged.
> >
> > type=AVC msg=audit(1308090063.174:17742): avc: denied { getattr } for pid=1412 comm="apache2" path="/srv/www/www.example.net/foo/bar.tar.gz" dev=xvda ino=425775 scontext=unconfined_u:system_r:httpd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file
> > type=SYSCALL msg=audit(1308090063.174:17742): arch=c000003e syscall=6 success=no exit=-13 a0=7f9da985eb38 a1=7fff8da1e6f0 a2=7fff8da1e6f0 a3=1 items=0 ppid=29237 pid=1412 auid=4294967295 uid=33 gid=33 euid=33 suid=33 fsuid=33 egid=33 sgid=33 fsgid=33 tty=(none) ses=4294967295 comm="apache2" exe="/usr/lib/apache2/mpm-prefork/apache2" subj=unconfined_u:system_r:httpd_t:s0-s0:c0.c1023 key=(null)
> >
> > Is there a recommended location for these password files or a
> > recommended way what policies to set. Not being sure of the correct
> > search term for this I found plenty of sites regarding SELinux and
> > Apache but nothing related to my problem in the results. If you could
> > point me to some specific documentation that would be great too.
> If you are using a different location for your web server then it is
> best to clone the web server locations file contexts.
Understood. This is off-topic, but do password files belong to the Web
server configuration and should be stored in `/etc/apache2/`? You could
argue passwords belong to the Web site and when you move it you should
easily move the passwords with you. On the other hand the secured
directories are also listed in the Web server configuration file under
`/etc/apache2/` and therefore you cannot move the site without moving or
duplication the Web server configuration files either.
> In fedora the semanage command has a handy option to do this very
> easily:
>
> # semanage fcontext -a -e /var/www /srv/www
> # restorecon -R -v /srv/www
>
> this will clone all the file context specifications for /var/www and its
> children to apply for /srv/www as well
>
> If debian does not support this option then you would do it manually.
`semanage` is also included in Debian.
> 1. to list the file context specs for /var/www and its children:
>
> # semanage fcontext -l | grep /var/www
Thank you for this hint. Using it I could figure out that it already
includes the following policies(?).
$ sudo semanage fcontext -l | less
[…]
/srv/([^/]*/)?www(/.*)? all files system_u:object_r:httpd_sys_content_t:s0
[…]
/var/www(/.*)? all files system_u:object_r:httpd_sys_content_t:s0
[…]
Also the password file seemed to have the correct contexts(?).
$ ls -Z /srv/site.htpasswd
system_u:object_r:httpd_sys_content_t /srv/site.htpasswd
> 2. an example of how you would add a file context spec for /var/www:
>
> # semanage fcontext -a -t httpd_sys_content_t "/srv/www(/.*)?"
> # restorecon -R -v /srv/www
>
> (This is just one example)
Then looking at the file to be served in question I found out that it
had the wrong context.
$ ls -Z /srv/www/site/restricted/*
unconfined_u:object_r:user_home_t /srv/www/site/restricted/bar.tar.gz
$ sudo restorecon -v /srv/www/site/restricted/bar.tar.gz
[…]
$ ls -Z /srv/www/site/restricted/*
system_u:object_r:httpd_sys_content_t /srv/www/site/restricted/bar.tar.gz
That solved my problem. The reason seems to be that I had that file
first in my home directory and then used
sudo mv ~/bar.tar.gz /srv/www/…
to move it to the Web site directory. `mv` seems to preserve the old
SELinux contexts and I have to relabel it afterward. Is there a way to
make the relabel step obsolete?
> The issue is that objects are labelled with contexts which include types
> which are used for type enforcement. Each type has a set of properties
> that matches the characteristics of the object in relation to the
> subjects that needs to interact with it.
>
> So it is important that each object gets the proper context.
Thank you very much for your detailed explanation and writing down the
commands. That helped me a lot.
Thanks,
Paul
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 198 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: context of files not adapted to new directory when moved (was: htpasswd file outside of standard Apache location)
2011-06-29 23:01 ` context of files not adapted to new directory when moved (was: htpasswd file outside of standard Apache location) Paul Menzel
@ 2011-07-01 13:46 ` Stephen Smalley
0 siblings, 0 replies; 4+ messages in thread
From: Stephen Smalley @ 2011-07-01 13:46 UTC (permalink / raw)
To: Paul Menzel; +Cc: selinux
On Thu, 2011-06-30 at 01:01 +0200, Paul Menzel wrote:
> That solved my problem. The reason seems to be that I had that file
> first in my home directory and then used
>
> sudo mv ~/bar.tar.gz /srv/www/…
>
> to move it to the Web site directory. `mv` seems to preserve the old
> SELinux contexts and I have to relabel it afterward. Is there a way to
> make the relabel step obsolete?
The semantics of mv are that it preserves the attributes of the original
file. In the case where the source and destination are within the same
filesystem, mv uses rename(2) and thus the file (inode) doesn't change
at all, so you wouldn't expect any of the attributes to change.
If you had instead used cp, then the attributes would not have been
preserved by default (unless you used the appropriate options), and the
new file that was created would have been labeled in accordance with the
parent directory.
Some versions of install are instrumented to explicitly look up the
SELinux context from the file_contexts configuration and set the label
on the newly installed file accordingly. Package managers like rpm and
dpkg are likewise instrumented.
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2011-07-01 13:46 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2011-06-29 16:57 htpasswd file outside of standard Apache location Paul Menzel
2011-06-29 17:15 ` Dominick Grift
2011-06-29 23:01 ` context of files not adapted to new directory when moved (was: htpasswd file outside of standard Apache location) Paul Menzel
2011-07-01 13:46 ` Stephen Smalley
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.