That did it! I'll admit that I'm still learning a bunch about selinux. I completely missed the --reference option. I'll have to play more with restrictions later, but for the time being it's working and enabled.
Thanks! Best Regards, -Joel -----Original Message----- From: ossec-list@googlegroups.com [mailto:[EMAIL PROTECTED] On Behalf Of MdMonk Sent: Friday, August 31, 2007 2:04 PM To: ossec-list@googlegroups.com Subject: [ossec-list] Re: OSSEC Web Interface--Unable to access ossec directory Props to Syndrowm for guiding me in figuring this out. Thanks Evan! ##### This will change the selinux permissions on the /var/ossec directory, to match those of the web directory. You can get more restrictive but I'm unsure exactly which directories the web server would need access to in the ossec dir (/var/ossec). For this example, the web dir is /var/www, and ossec is in /var/ossec: chcon -R --reference /var/www/ /var/ossec/ That is what worked on my FC6 box. And it worked on F7 (just confirmed). You can get more restrictive in your modifications of the selinux permissions if you know what dirs and files the web server needs to access; then modify the chcon cmd as needed. NOTE: This works for my setup, and didn't break anything (that I have seen so far). That's not to say that it wouldn't fubar your setup. What's the acronym? YMMV. :) -Chuck (MdMonk) On 8/31/07, Joel Gray <[EMAIL PROTECTED]> wrote: > > Hi all, > > I am running into the same issue. I tried various combinations > including setting the type to var_log_t,httpd_log_t and others and > changing the user to system (basically setting the enforcement as the > httpd logs) but all to no avail. > > Has anyone had any luck with it? For the time being I've turned off > enforcement which fixes the WUI error, but I would like to get SELinux > re-enabled. > > Best Regards, > -Joel > > > -----Original Message----- > From: ossec-list@googlegroups.com [mailto:[EMAIL PROTECTED] > On Behalf Of Jeff Schroeder > Sent: Monday, August 13, 2007 5:33 PM > To: ossec-list > Subject: [ossec-list] Re: OSSEC Web Interface--Unable to access ossec > directory > > > avc deny = SELinux problem. I'm not any SELinux guru, but you might be > able to fix this. > > http://fedoraproject.org/wiki/SELinux/apache Gives a few pointers. > > I *think* something like this will work until a proper SELinux policy > is written for ossec: > chcon -R -h -t httpd_unconfined_script_exec_t /path/to/ossec-wui > chcon -R -h -t httpd_sys_content_t /var/ossec/logs > > If you get tired of all of this and want to disable SELinux: > setenforce 0 > > Try looking at what labels are on ossec and on apache: > ps aux -Z | egrep 'httpd|ossec' > ls -alZ /var/ossec/ /path/to/ossec-wui > > The -Z option shows SELinux labelling attributes. You can also use the > avc deny messages you got to feed into the audit2allow tool to create > a > template that permits what was denied. Note that I have 0 fedora boxes > to test this on so it is mostly from what I can read and remember. > > On Aug 13, 3:16 pm, Robert5156 <[EMAIL PROTECTED]> wrote: > > I followed the instructi0ons in the link below > > > > http://www.ossec.net/wiki/index.php/OSSECWUI:Install > > > > for installing web interface. > > > > I did add the web user to the ossec group and i did restart the apache > > service. > > > > When i access the site "http ://anyhost/ossec-wui/" i am getting the > > error on the web page saying > > > > "Unable to access ossec directory" > > > > I also get a notification from OSSEC installed on this system saying > > the following > > > > OSSEC HIDS Notification. > > 2007 Aug 13 16:09:20 > > > > Received From: systemname->/var/log/messages > > Rule: 1002 fired (level 7) -> "Unknown problem somewhere in the > > system." > > Portion of the log(s): > > > > Aug 13 16:09:19 systemname kernel: audit(1187046559.343:130): avc: > > denied { read } for pid=29595 comm="httpd" name="ossec" dev=dm-0 > > ino=16957254 scontext=root:system_r:httpd_t:s0 > > tcontext=root:object_r:var_t:s0 tclass=dir > > > > --END OF NOTIFICATION > > > > Help please. > > apache is my web user.Found by using ps -aux | grep http > > > > The tmp/ folder inside ossec-wui folder has the following permissions > > > > drwxrwxrwx 2 root apache 4096 Aug 13 15:05 tmp > > > > The etc/group file has > > "ossec:x:3004:apache" added > > > > /var/ossec is the dir which has ossec installed.The permissions for > > ossec folder are as follows. > > > > dr-xr-xr-- 11 root ossec 4096 Aug 8 11:07 ossec > > > > Help please. Running Fedora 6 > >
