Solved

SELinux question.

Posted on 2006-10-29
22
672 Views
Last Modified: 2010-04-22

Hello Group,

I'm new to the security concept in Linux but I will appreciate it if you could pass me some useful links and also answer my question:

Q1)  When SELlinux is set or enabled I do have access to /www/ only but not to subdirectories? why is that ? This causes problem during testing my web application so have to disable is in order to test and get access to sub-directories. I'm using red-hat, apache and php if this helps.

Q2) Also, whenever SELinux is set Flash doesn't work on any page on my Fedora machine.

Your help is appreicated greatly.

A
0
Comment
Question by:akohan
  • 8
  • 6
  • 3
  • +2
22 Comments
 
LVL 11

Expert Comment

by:kblack05
ID: 17829342
Q1:

This is probably a function of your Apache settings. In order to be sure we'd need the actual browser error message, or perhaps the apache error_log settings. For each directory in a virtual host, newer Apache versions will require that directory be listed in the config, along with any read time options such as

<Directory /var/www/html/mytest>
Options +Includes +Indexes
</Directory>

service httpd restart

or

apachectl semcleanrestart
0
 

Author Comment

by:akohan
ID: 17883408

Hello,

Thakns for your response. Where can I find the apache error_log settings? I'm supposed to fix this problem and I will appeciate your help either any online source or any comments you might have.

Thanks,
ak
0
 
LVL 10

Expert Comment

by:Luxana
ID: 17886976
try have look in /var/log directory :

/var/log/apache
0
 

Author Comment

by:akohan
ID: 17895155

Hi,

I looked at /var/log but there is no such apache/  directory! as a matter of fact, this is not my machine and I'm trying to help a friend of mine and also get familar with SELinux.

Where else should I look for it?

Thanks
0
 
LVL 10

Expert Comment

by:Luxana
ID: 17895206
check apache configuration and look for ErrorLog directive which specify the location of log file.

BTW what version of apache are you running?
0
 
LVL 11

Expert Comment

by:kblack05
ID: 17895761
It may also be /var/log/httpd

Try issuing

locate error | grep log

0
 

Author Comment

by:akohan
ID: 17895981

Yes, you are right and I think it should be  /var/log/httpd/error_log and those like /var/log/httpd/error_log.n  (where n is a number) are the old ones. Right?
Anyway, I'm seeing these in it:

[Sun Nov 05 04:02:08 2006] [notice] Digest: generating secret for digest authentication ...
[Sun Nov 05 04:02:08 2006] [notice] Digest: done
[Sun Nov 05 04:02:08 2006] [notice] LDAP: Built with OpenLDAP LDAP SDK
[Sun Nov 05 04:02:08 2006] [notice 209.129.194.55] LDAP: SSL support unavailable
[Sun Nov 05 04:02:09 2006] [notice 209.129.194.55] Apache/2.0.52 (Red Hat) configured -- resuming normal operations
[Mon Nov 06 10:00:42 2006] [error] [client 209.129.194.55] File does not exist: /var/www/html/fav.ico
[Mon Nov 06 10:00:42 2006] [error] [client 209.129.194.55] File does not exist: /var/www/html/fav.ico
[Mon Nov 06 10:00:54 2006] [error] [client 209.129.194.55] user sswift: authentication failure for "/phpMyAdmin-2.7.0-pl2": Password Mismatch, referer: http://204.129.194.54/
[Mon Nov 06 10:01:20 2006] [error] [client 209.129.194.55] File does not exist: /var/www/html/fav.ico
[Mon Nov 06 10:01:20 2006] [error] [client 209.129.194.55] File does not exist: /var/www/html/fav.ico
[Mon Nov 06 10:29:51 2006] [notice] caught SIGTERM, shutting down
[Mon Nov 06 10:49:50 2006] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Mon Nov 06 10:49:51 2006] [notice] Digest: generating secret for digest authentication ...
[Mon Nov 06 10:49:51 2006] [notice] Digest: done
[Mon Nov 06 10:49:51 2006] [notice] LDAP: Built with OpenLDAP LDAP SDK
[Mon Nov 06 10:49:51 2006] [notice] LDAP: SSL support unavailable
[Mon Nov 06 10:49:55 2006] [notice] Apache/2.0.52 (Red Hat) configured -- resuming normal operations
[Tue Nov 07 16:37:06 2006] [error] [client 209.129.194.55] File does not exist: /var/www/html/fav.ico
[Tue Nov 07 16:37:06 2006] [error] [client 209.129.194.55] File does not exist: /var/www/html/fav.ico
[Tue Nov 07 16:37:06 2006] [error] [client 209.129.194.55] File does not exist: /var/www/html/fav.ico
~


Now what? how can I approach to the problem? the problem is that I cannot show an HTML or PHP file when SELinux is set ON or enabled.

0
 
LVL 11

Expert Comment

by:kblack05
ID: 17903966
Use the tail command for this...

tail -f /var/log/httpd/error_log

Then in your browser load the php page and watch the tail for errors.

Then use crtl^c to kill the tail.
0
 
LVL 11

Expert Comment

by:kblack05
ID: 17908167
You can check if this is in fact SE related by temporarily booting the system without the SE features and policies enacted by doing this:
You can specify the SELinux mode using the configuration file /etc/sysconfig/selinux.


# This is a comment field in /etc/sysconfig/selinux
#
# Allowable values are:
#     enforcing  -  enables enforcing mode
#     permissive -  enables permissive mode
#     disabled   -  disables SELinux
SELINUX=<value>

Setting the value to enforcing is the same as adding enforcing=1 to your command line when booting the kernel to turn enforcing on, while setting the value to permissive is the same as adding enforcing=0 to turn enforcing off. Note that the command line kernel parameter overrides the configuration file.

In the kernel that shipped with Fedora Core 2, setting the value to disabled was not the same as the selinux=0 kernel boot parameter. However, updated kernels act exactly the same if you disable in run time or at boot -- SELinux hooks and pseudo file system are unregistered entirely.


http://fedora.redhat.com/docs/selinux-faq-fc2/
0
 
LVL 4

Expert Comment

by:infleadorix
ID: 18285691
I think akohan has reposted his question, which may have been answered in the link below:

http://www.experts-exchange.com/Security/Linux_Security/Q_22110273.html#18271320
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 11

Expert Comment

by:kblack05
ID: 18285709
Actually it seems that he posted the next step in his process and left this question abandoned.
Here he's asking about the problem, on that link he's asking about why it works with SE on or off.
0
 
LVL 4

Expert Comment

by:infleadorix
ID: 18288842
To me, he essentially asked the same question in both posts: how to make his httpd service works properly when SELinux is enabled. I have no problem with kblack getting the points but just wanted to point out that the solution in the other post may answer this question.
0
 
LVL 11

Expert Comment

by:kblack05
ID: 18288873
You are right he just worded it much differently. Hopefully all worked out well for him. My suggestion would be to delete the question and refund his points. Good eye infleadorix!
0
 

Author Comment

by:akohan
ID: 18288919


Hello all,

This is strange! I sent a message regarding this discussion today but now I cannot see it here!

Anyway, What I had described in the message was that my problem was solved because of the answer I received from infleadorix. Since his solution in http://www.experts-exchange.com/Security/Linux_Security/Q_22110273.html#18271320 helped me here to fix the Flash and also other issues I had.

Thanks,
ak
0
 
LVL 11

Expert Comment

by:kblack05
ID: 18288927
Not a problem. Also be advised that command you were given will change policy settings for all files, httpd or not, perhaps not the best thing. I've found another solution that may be better use in the future:

After some research I found the problem was the SELinux context of the files. It took me forever to find the Proper command to use to change that, as all the examples on the net were out dated using old commands:
# chcon "user_u:object_r:httpd_sys_content_t" /var/www/html -Rc

This will change the SELinux context of all the documents under the /var/www/html directory (which is the web directory under Fedora), to allow the httpd process to access them, and the '-Rc' flag will make the changes Recursive, and will output it's progress for each file that it sucessfully changes.
0
 
LVL 1

Accepted Solution

by:
Computer101 earned 0 total points
ID: 18289057
PAQed with points refunded (500)

Computer101
EE Admin
0
 
LVL 4

Expert Comment

by:infleadorix
ID: 18289170
Actually, the 'restorecon -R /var/www/html' I've provided will restore the security context for the /var/www/html ONLY, using the database in /etc/selinux/targeted/contexts/files/file_contexts. It does almost the same thing as the 'chcon user_u:object_r:httpd_sys_content_t /var/www/html -Rc', but restorecon preserves the user identity and role (first and second fields of the security context) if the type (third field) is already correct. In other words, restorecon will only change the file's security context if its type is incorrect. This is because SELinux targeted policy uses "type enforcement" only. So, as long as the type of the file is in the correct domain, the service will be able to access it.

For example, in addition to some mistyped files in /var/www/html, if there are some CGI scripts that have been created in the user's home directory and then got moved into /var/www/cgi-bin. The command 'restorecon -R /var/www' will change the context of every file in every subdirectory (unless it already has a correct type) within it, which will fix both the /var/www/html and /var/www/cgi-bin directories.
0
 

Author Comment

by:akohan
ID: 18289268

Hi again,

What is refunded here?! I'm new to this thing. Can somebody explain this?

Thanks,
AK
0
 
LVL 11

Expert Comment

by:kblack05
ID: 18293141
Oh just making sure they give your points back to you since you were able to get a more proper solution in the other thread. infleadorix and I were just elaborating on the thread a little so future readers can see why the solution chosen works, etc..
0
 

Author Comment

by:akohan
ID: 18295761

Thanks for your explanation. Now I get it.

Regards,
AK
0

Featured Post

Get up to 2TB FREE CLOUD per backup license!

An exclusive Black Friday offer just for Expert Exchange audience! Buy any of our top-rated backup solutions & get up to 2TB free cloud per system! Perform local & cloud backup in the same step, and restore instantly—anytime, anywhere. Grab this deal now before it disappears!

Join & Write a Comment

Suggested Solutions

​Being a Managed Services Provider (MSP) has presented you  with challenges in the past— and by meeting those challenges you’ve reaped the rewards of success.  In 2014, challenges and rewards remain; but as the Internet and business environment evol…
BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now