Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 694
  • Last Modified:

SELinux question.


Hello Group,

I'm new to the security concept in Linux but I will appreciate it if you could pass me some useful links and also answer my question:

Q1)  When SELlinux is set or enabled I do have access to /www/ only but not to subdirectories? why is that ? This causes problem during testing my web application so have to disable is in order to test and get access to sub-directories. I'm using red-hat, apache and php if this helps.

Q2) Also, whenever SELinux is set Flash doesn't work on any page on my Fedora machine.

Your help is appreicated greatly.

A
0
akohan
Asked:
akohan
  • 8
  • 6
  • 3
  • +2
1 Solution
 
kblack05Commented:
Q1:

This is probably a function of your Apache settings. In order to be sure we'd need the actual browser error message, or perhaps the apache error_log settings. For each directory in a virtual host, newer Apache versions will require that directory be listed in the config, along with any read time options such as

<Directory /var/www/html/mytest>
Options +Includes +Indexes
</Directory>

service httpd restart

or

apachectl semcleanrestart
0
 
akohanAuthor Commented:

Hello,

Thakns for your response. Where can I find the apache error_log settings? I'm supposed to fix this problem and I will appeciate your help either any online source or any comments you might have.

Thanks,
ak
0
 
LuxanaCommented:
try have look in /var/log directory :

/var/log/apache
0
NEW Veeam Backup for Microsoft Office 365 1.5

With Office 365, it’s your data and your responsibility to protect it. NEW Veeam Backup for Microsoft Office 365 eliminates the risk of losing access to your Office 365 data.

 
akohanAuthor Commented:

Hi,

I looked at /var/log but there is no such apache/  directory! as a matter of fact, this is not my machine and I'm trying to help a friend of mine and also get familar with SELinux.

Where else should I look for it?

Thanks
0
 
LuxanaCommented:
check apache configuration and look for ErrorLog directive which specify the location of log file.

BTW what version of apache are you running?
0
 
kblack05Commented:
It may also be /var/log/httpd

Try issuing

locate error | grep log

0
 
akohanAuthor Commented:

Yes, you are right and I think it should be  /var/log/httpd/error_log and those like /var/log/httpd/error_log.n  (where n is a number) are the old ones. Right?
Anyway, I'm seeing these in it:

[Sun Nov 05 04:02:08 2006] [notice] Digest: generating secret for digest authentication ...
[Sun Nov 05 04:02:08 2006] [notice] Digest: done
[Sun Nov 05 04:02:08 2006] [notice] LDAP: Built with OpenLDAP LDAP SDK
[Sun Nov 05 04:02:08 2006] [notice 209.129.194.55] LDAP: SSL support unavailable
[Sun Nov 05 04:02:09 2006] [notice 209.129.194.55] Apache/2.0.52 (Red Hat) configured -- resuming normal operations
[Mon Nov 06 10:00:42 2006] [error] [client 209.129.194.55] File does not exist: /var/www/html/fav.ico
[Mon Nov 06 10:00:42 2006] [error] [client 209.129.194.55] File does not exist: /var/www/html/fav.ico
[Mon Nov 06 10:00:54 2006] [error] [client 209.129.194.55] user sswift: authentication failure for "/phpMyAdmin-2.7.0-pl2": Password Mismatch, referer: http://204.129.194.54/
[Mon Nov 06 10:01:20 2006] [error] [client 209.129.194.55] File does not exist: /var/www/html/fav.ico
[Mon Nov 06 10:01:20 2006] [error] [client 209.129.194.55] File does not exist: /var/www/html/fav.ico
[Mon Nov 06 10:29:51 2006] [notice] caught SIGTERM, shutting down
[Mon Nov 06 10:49:50 2006] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Mon Nov 06 10:49:51 2006] [notice] Digest: generating secret for digest authentication ...
[Mon Nov 06 10:49:51 2006] [notice] Digest: done
[Mon Nov 06 10:49:51 2006] [notice] LDAP: Built with OpenLDAP LDAP SDK
[Mon Nov 06 10:49:51 2006] [notice] LDAP: SSL support unavailable
[Mon Nov 06 10:49:55 2006] [notice] Apache/2.0.52 (Red Hat) configured -- resuming normal operations
[Tue Nov 07 16:37:06 2006] [error] [client 209.129.194.55] File does not exist: /var/www/html/fav.ico
[Tue Nov 07 16:37:06 2006] [error] [client 209.129.194.55] File does not exist: /var/www/html/fav.ico
[Tue Nov 07 16:37:06 2006] [error] [client 209.129.194.55] File does not exist: /var/www/html/fav.ico
~


Now what? how can I approach to the problem? the problem is that I cannot show an HTML or PHP file when SELinux is set ON or enabled.

0
 
kblack05Commented:
Use the tail command for this...

tail -f /var/log/httpd/error_log

Then in your browser load the php page and watch the tail for errors.

Then use crtl^c to kill the tail.
0
 
kblack05Commented:
You can check if this is in fact SE related by temporarily booting the system without the SE features and policies enacted by doing this:
You can specify the SELinux mode using the configuration file /etc/sysconfig/selinux.


# This is a comment field in /etc/sysconfig/selinux
#
# Allowable values are:
#     enforcing  -  enables enforcing mode
#     permissive -  enables permissive mode
#     disabled   -  disables SELinux
SELINUX=<value>

Setting the value to enforcing is the same as adding enforcing=1 to your command line when booting the kernel to turn enforcing on, while setting the value to permissive is the same as adding enforcing=0 to turn enforcing off. Note that the command line kernel parameter overrides the configuration file.

In the kernel that shipped with Fedora Core 2, setting the value to disabled was not the same as the selinux=0 kernel boot parameter. However, updated kernels act exactly the same if you disable in run time or at boot -- SELinux hooks and pseudo file system are unregistered entirely.


http://fedora.redhat.com/docs/selinux-faq-fc2/
0
 
infleadorixCommented:
I think akohan has reposted his question, which may have been answered in the link below:

http://www.experts-exchange.com/Security/Linux_Security/Q_22110273.html#18271320
0
 
kblack05Commented:
Actually it seems that he posted the next step in his process and left this question abandoned.
Here he's asking about the problem, on that link he's asking about why it works with SE on or off.
0
 
infleadorixCommented:
To me, he essentially asked the same question in both posts: how to make his httpd service works properly when SELinux is enabled. I have no problem with kblack getting the points but just wanted to point out that the solution in the other post may answer this question.
0
 
kblack05Commented:
You are right he just worded it much differently. Hopefully all worked out well for him. My suggestion would be to delete the question and refund his points. Good eye infleadorix!
0
 
akohanAuthor Commented:


Hello all,

This is strange! I sent a message regarding this discussion today but now I cannot see it here!

Anyway, What I had described in the message was that my problem was solved because of the answer I received from infleadorix. Since his solution in http://www.experts-exchange.com/Security/Linux_Security/Q_22110273.html#18271320 helped me here to fix the Flash and also other issues I had.

Thanks,
ak
0
 
kblack05Commented:
Not a problem. Also be advised that command you were given will change policy settings for all files, httpd or not, perhaps not the best thing. I've found another solution that may be better use in the future:

After some research I found the problem was the SELinux context of the files. It took me forever to find the Proper command to use to change that, as all the examples on the net were out dated using old commands:
# chcon "user_u:object_r:httpd_sys_content_t" /var/www/html -Rc

This will change the SELinux context of all the documents under the /var/www/html directory (which is the web directory under Fedora), to allow the httpd process to access them, and the '-Rc' flag will make the changes Recursive, and will output it's progress for each file that it sucessfully changes.
0
 
Computer101Commented:
PAQed with points refunded (500)

Computer101
EE Admin
0
 
infleadorixCommented:
Actually, the 'restorecon -R /var/www/html' I've provided will restore the security context for the /var/www/html ONLY, using the database in /etc/selinux/targeted/contexts/files/file_contexts. It does almost the same thing as the 'chcon user_u:object_r:httpd_sys_content_t /var/www/html -Rc', but restorecon preserves the user identity and role (first and second fields of the security context) if the type (third field) is already correct. In other words, restorecon will only change the file's security context if its type is incorrect. This is because SELinux targeted policy uses "type enforcement" only. So, as long as the type of the file is in the correct domain, the service will be able to access it.

For example, in addition to some mistyped files in /var/www/html, if there are some CGI scripts that have been created in the user's home directory and then got moved into /var/www/cgi-bin. The command 'restorecon -R /var/www' will change the context of every file in every subdirectory (unless it already has a correct type) within it, which will fix both the /var/www/html and /var/www/cgi-bin directories.
0
 
akohanAuthor Commented:

Hi again,

What is refunded here?! I'm new to this thing. Can somebody explain this?

Thanks,
AK
0
 
kblack05Commented:
Oh just making sure they give your points back to you since you were able to get a more proper solution in the other thread. infleadorix and I were just elaborating on the thread a little so future readers can see why the solution chosen works, etc..
0
 
akohanAuthor Commented:

Thanks for your explanation. Now I get it.

Regards,
AK
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

  • 8
  • 6
  • 3
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now