Hello again,
I am testing the feasibility of enabling SELinux on the system to
which we are migrating some very, very old HPUX accounts (this has
been my last five questions I believe...)
When I first copied some test users' home directories (tar over SSH),
I was in permissive mode and didn't pay too much attention to the
selinux contexts, but the files were all brought over with
system_u:object_r:default_t (and if it was some other context, I have
since relabeled to the default and lost the original)
When I enabled enforcing, Apache's ability to serve from ~/public_html was gone.
the path of the home directories is /hostname/group/username . I set
system_u:object_r:user_home_t recursively to the whole
/hostname/group/username tree so that it looks like this:
#ls -alFZ
drwxr-xr-x root root system_u:object_r:user_home_t /hostname
The context of each user's public_html folder is manually set to
system_u:object_r:httpd_sys_content_t
The full SEalert looks thus:
Summary:
SELinux is preventing the httpd from using potentially mislabeled files
(./condor).
Detailed Description:
SELinux has denied httpd access to potentially mislabeled file(s) (./hostname).
This means that SELinux will not allow httpd to use these files. It is common
for users to edit files in their home directory or tmp directories and then move
(mv) them to system directories. The problem is that the files end up with the
wrong file context which confined applications are not allowed to access.
Allowing Access:
If you want httpd to access this files, you need to relabel them using
restorecon -v './hostname'. You might want to relabel the entire directory using
restorecon -R -v './hostname'.
Additional Information:
Source Context system_u:system_r:httpd_t
Target Context system_u:object_r:user_home_t
Target Objects ./hostname [ dir ]
Source httpd
Source Path /usr/sbin/httpd
Port <Unknown>
Host host.domain.tld
Source RPM Packages httpd-2.2.3-22.el5_3.1
Target RPM Packages
Policy RPM selinux-policy-2.4.6-203.el5
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name home_tmp_bad_labels
Host Name host.domain.tld
Platform Linux host.domain.tld 2.6.18-128.1.14.el5
#1 SMP Mon Jun 1 15:52:58 EDT 2009 x86_64 x86_64
Alert Count 1
First Seen Fri Jul 10 18:18:01 2009
Last Seen Fri Jul 10 18:18:01 2009
Local ID e6f2f830-870a-4721-a378-f4e359b0391c
Line Numbers
Raw Audit Messages
host=host.domain.tld type=AVC msg=audit(1247267881.627:646): avc:
denied { search } for pid=2384 comm="httpd" name="hostname" dev=dm-0
ino=2156353 scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:user_home_t:s0 tclass=dir
host=host.domain.tld type=SYSCALL msg=audit(1247267881.627:646):
arch=c000003e syscall=4 success=no exit=-13 a0=2b6c575a60b0
a1=7fff6cd14620 a2=7fff6cd14620 a3=0 items=0 ppid=2339 pid=2384
auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48
fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd"
subj=system_u:system_r:httpd_t:s0 key=(null)
Is the problem that apache cannot traverse the entire home directory path?
Should the path above a home directory have some other context label?
I am hesitant to relabel because I think it wants to change everything
back to the default labelling, and is not recognizing that
/hostname/group/username are home directories. Is there a file I need
to set for selinux to recognize the differing location of home
directories?
Thanks!
-Eugene
_______________________________________________
rhelv5-list mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/rhelv5-list