Change is good when it brings worthy improvements, like security [LWN.net]

Change is good when it brings worthy improvements, like security

Posted Jul 10, 2008 20:04 UTC (Thu) by mrshiny (subscriber, #4266)
In reply to: Change is good when it brings worthy improvements, like security by rvfh
Parent article: SELinux and Fedora

Amen: a new system requires new knowledge, and that's why SELinux isn't gaining user
acceptance.  That, and the fact that it's hard to use, so even admins can struggle with it.

Normal LS doesn't show the context of a file
It can be tricky to set up new labelling rules
Until recently it was really annoying to diagnose what was failing and why

Fedora 8 fixed this for me with the SEAlert applet.  Now when there is an SELinux failure on
my system I can see what is wrong, and what command I should run to allow the access that was
denied.  This helps a great deal.  What we need now is a tool which lets you, for a specific
program, generate new SELinux rules so that you can install something and have it just work.
For example, I like to run my HTTP doc-root in /home/httpd (I'm a hold-out from RH 6).  SELinux
makes this nearlly impossible.  I've given up on this and resorted to manually changing the
labels of files.  But given how arcane this is I can see why people still resist.

(Log in to post comments)

Change is good when it brings worthy improvements, like security

Posted Jul 15, 2008 22:09 UTC (Tue) by dpquigl (subscriber, #52852) [Link]

/usr/sbin/semanage fcontext -a -t httpd_sys_content_t '/home/httpd(/.*)?'
restorecon -R -v /home/httpd

That should fix your problem.

The first line tells the policy that all files under /home/httpd and the directory itself
should be labeled with httpd_sys_content_t. This will allow httpd access to it. The second
then relabels all of the files under that point so they are correct. Something to take note
of. If there is more explicit labeling rule on a file for instance /home/httpd/foo the above
line won't override it. So if you have a cgi directory under that point you can do something
along the lines of 

/usr/sbin/semanage fcontext -a -t httpd_sys_script_exec_t '/home/httpd/cgi/*'  it will label
everything under that with httpd_sys_script_exec_t and everything else will match the first
rule above. I might be wrong with the syntax on the regex but you get the idea. The more
explicit the path the more authoritative it is.

If you have any more problems feel free to email the fedora-selinux list and I'm sure you will
get a quick answer to your question and a solution to whatever problem you are having.

Change is good when it brings worthy improvements, like security

Posted Jul 15, 2008 22:15 UTC (Tue) by dpquigl (subscriber, #52852) [Link]

I also found on Dan Walsh's blog that there is a GUI for doing this as well.

"You can see similar functionality in system-config-selinux by selecting the 'File Labeling'
list item and then clicking on the 'Customized' button."

Change is good when it brings worthy improvements, like security

Posted Jul 17, 2008 3:45 UTC (Thu) by mrshiny (subscriber, #4266) [Link]

Thanks for the tip.  I had already gone down this road with the gui tool and found that
something didn't work properly and my attempts at manually setting this stuff failed.  I
eventually gave up and moved my doc root or just manually changed the context... I forget.  I
think I manually changed the context and I expect it to fail if the whole system gets
re-labelled.

It would be much easier for a sysadmin to be able to specify the document root in the apache
config file and have an selinux-aware tool say "gee, looks like you'll need to add these
se-linux rules... proceed? Y/N".  But at least much progress has been made with these tools
compared to Fedora 2.