CentOS - Mar 2005 - Problem with apache in CentOS 4.0 (final)

Hi everyone!

In my new CentOS 4.0 (final ;-) I installed apache and activates
SELinux, When I
tried to enter a page of some user (localhost/~user) said to me that she
did not have permissions
to see it, and this was incorrect, because the permissions was 755
(/home/user/html). After awhile it was happened to me to deactivate
selinux and
I reinitiated the machine and I work!

Somebody knows why happens this?

Bye!
--
Cristofer Reyes Aguilera        linux-user #353991
http://www.inf.utfsm.cl/~crreyes
Laboratorio de Computacion, Departamento de Informatica, UTFSM
crreyes (at) inf (dot) utfsm (dot) cl

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :
http://lists.caosity.org/pipermail/centos/attachments/20050310/267a38c4/attachment-0001.bin

> -----Original Message-----
> From: centos-bounces@caosity.org [mailto:centos-bounces@caosity.org]
On
> Behalf Of Cristofer N. Reyes A.
> Sent: Thursday, March 10, 2005 11:01 AM
> To: centos@caosity.org
> Subject: [Centos] Problem with apache in CentOS 4.0 (final)
>
> Hi everyone!
>
> In my new CentOS 4.0 (final ;-) I installed apache and activates
> SELinux, When I
> tried to enter a page of some user (localhost/~user) said to me that
she
> did not have permissions
> to see it, and this was incorrect, because the permissions was 755
> (/home/user/html). After awhile it was happened to me to deactivate
> selinux and
> I reinitiated the machine and I work!
>
> Somebody knows why happens this?
SELinux provides for a higher level of permissions on top of the usual
file-system permissions. If SELinux dictates that the user or process
doesn''t have access to the file or directory then local file
permissions
do not matter. There are a number of documents on the web that have been
discussed on this list recently that explain more about SELinux and
it''s
operation.

--
Marc

On Thu, 10 Mar 2005 14:00:55 -0300, Cristofer N. Reyes A.
<crreyes@inf.utfsm.cl> wrote:
> Hi everyone!
>
> In my new CentOS 4.0 (final ;-) I installed apache and activates
> SELinux, When I
> tried to enter a page of some user (localhost/~user) said to me that she
> did not have permissions
You don''t have permission according to SELinux.
As root run ''getsebool -a | grep homedirs'' to be sure that
it''s
enabled.if it is, make sure that it''s set to the proper SELinux
context for homedir content.

As your user:
ls -Z the html directory, and ensure that the context is set as
httpd_user_content_t
if it''s not, then ''chcon -t httpd_user_content_t
html''
Also, for documentation on SELinux, you should read
http://fedora.redhat.com/docs/selinux-apache-fc3/
SELinux is an excellent security measure, but it takes some getting used to.

--
Jim Perrin
Arbelos Systems

Cristofer N. Reyes A. wrote:
>In my new CentOS 4.0 (final ;-) I installed apache and activates
>SELinux, When I
>tried to enter a page of some user (localhost/~user) said to me that she
>did not have permissions
>to see it, and this was incorrect, because the permissions was 755
>(/home/user/html). After awhile it was happened to me to deactivate
>selinux and
>I reinitiated the machine and I work!
>
>
I''m sure that you didn''t activate the rules that let your
httpd binary
to read the user_home_t tpye dirs and files. I think with the targeted
policy there''s a boolean which enables it. I just work with strict
policies  on Debian and Gentoo yet, so I need to take a look at. I just
install the test machine righ now with CentOS 4 :-) I hope it will works
as expected just like 3.x.

bye,
Ago

Hi Cristofer,
> tried to enter a page of some user (localhost/~user) said to me that she
> did not have permissions
> to see it, and this was incorrect, because the permissions was 755
> (/home/user/html). After awhile it was happened to me to deactivate
> selinux and
may I suggest that you run

chcon -Rt httpd_sys_content_t ~/html

for the directory? This will allow httpd to access the directory and
serve the user directory, when you have SELinux enabled.

With kind regards,
Daniel S. Reichenbach
--
blog - http://people.best-off.org/~dsr/
gpg  - http://people.best-off.org/~dsr/gpg.asc
work - http://www.best-off.org/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :
http://lists.caosity.org/pipermail/centos/attachments/20050311/c1ff0f0f/attachment-0001.bin

Daniel S. Reichenbach wrote:
>chcon -Rt httpd_sys_content_t ~/html
>
>for the directory? This will allow httpd to access the directory and
>serve the user directory, when you have SELinux enabled.
>
>
>
that''s much better advice than mine. So, RH/CentOS created a
httpd_sys_content_t type. I assume there''s a general rule which enables
the httpd_t domain to read the fle with this type. But what will you do
when you want a much more strict policy? The only way to defend the
virtual hosts from each other to create different content types just
like http_sys_virthost1_t, http_sys_virthost2_t etc and different .
Imagine users want run php scripts. If you just enable to exec all types
of php scripts there''s a chance that you will weaken you security. Not
sure but there''s a chance.

bye,
Ago

Hi,
> when you want a much more strict policy? The only way to defend the
> virtual hosts from each other to create different content types just
> like http_sys_virthost1_t, http_sys_virthost2_t etc and different .
> Imagine users want run php scripts. If you just enable to exec all types
> of php scripts there''s a chance that you will weaken you security.
Not
> sure but there''s a chance.
you may still combine this with suexec, php''s safedir options, etc.
Don''t forget that there is no 100 percent security, but just a lot of
methods to get close to 100 percent :-)

With kind regards,
Daniel S. Reichenbach
--
blog - http://people.best-off.org/~dsr/
gpg  - http://people.best-off.org/~dsr/gpg.asc
work - http://www.best-off.org/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :
http://lists.caosity.org/pipermail/centos/attachments/20050311/f611c0d3/attachment.bin

Daniel S. Reichenbach wrote:
>>of php scripts there''s a chance that you will weaken you
security. Not
>>sure but there''s a chance.
>>
>>
>you may still combine this with suexec, php''s safedir options, etc.
>Don''t forget that there is no 100 percent security, but just a lot
of
>methods to get close to 100 percent :-)
>
>
>
yes, I know it. No complains about it. I just like to use the tools at
maximum. Beside the safe mode etc. I would create seperate roles,
domains, types to virthost with cgi/php/... scripts.

bye,
Ago