On 09/23/2017 08:37 AM, hw wrote:>
> Hi,
>
> how do I allow lighttpd access to a directory like this:
>
> dr-xrwxr-x. lighttpd example unconfined_u:object_r:samba_share_t:s0
> files_articles
>
> I tried to create and install a selinux module, and it didn?t work.
> The non-working module can not be removed, either:
>
> semodule -r lighttpd-files_articles.pp
> libsemanage.semanage_direct_remove_key: Unable to remove module
> lighttpd-files_articles.pp at priority 400. (No such file or directory).
> semodule: Failed!
>
>
> Currently, only read access is required. Write access may be
> required later.
>
>
> type=AVC msg=audit(1506168999.456:2350): avc: denied { getattr }
> for pid=28956 comm="lighttpd"
>
path="/srv/data/files_articles/C3E3FC7C-6ABE-11E6-9BF7-9CD580EF3FB5"
> dev="sde" ino=22694488368 scontext=system_u:system_r:httpd_t:s0
> tcontext=unconfined_u:object_r:samba_share_t:s0 tclass=file
> type=SYSCALL msg=audit(1506168999.456:2350): arch=c000003e syscall=4
> success=yes exit=0 a0=55eea817ec80 a1=7ffe668ef300 a2=7ffe668ef300
> a3=7ffe668ef270 items=0 ppid=1 pid=28956 auid=4294967295 uid=996
> gid=994 euid=996 suid=996 fsuid=996 egid=994 sgid=994 fsgid=994
> tty=(none) ses=4294967295 comm="lighttpd"
exe="/usr/sbin/lighttpd"
> subj=system_u:system_r:httpd_t:s0 key=(null)
> type=AVC msg=audit(1506168999.456:2351): avc: denied { open } for
> pid=28956 comm="lighttpd"
>
path="/srv/data/files_articles/C3E3FC7C-6ABE-11E6-9BF7-9CD580EF3FB5"
> dev="sde" ino=22694488368 scontext=system_u:system_r:httpd_t:s0
> tcontext=unconfined_u:object_r:samba_share_t:s0 tclass=file
> type=SYSCALL msg=audit(1506168999.456:2351): arch=c000003e syscall=2
> success=yes exit=9 a0=55eea817ec80 a1=0 a2=3e a3=7ffe668ef270 items=0
> ppid=1 pid=28956 auid=4294967295 uid=996 gid=994 euid=996 suid=996
> fsuid=996 egid=994 sgid=994 fsgid=994 tty=(none) ses=4294967295
> comm="lighttpd" exe="/usr/sbin/lighttpd"
> subj=system_u:system_r:httpd_t:s0 key=(null)
> type=AVC msg=audit(1506168723.591:2342): avc: denied { read } for
> pid=28956 comm="lighttpd"
name="C3E3FC7C-6ABE-11E6-9BF7-9CD580EF3FB5"
> dev="sde" ino=22694488368 scontext=system_u:system_r:httpd_t:s0
> tcontext=unconfined_u:object_r:samba_share_t:s0 tclass=file
> type=SYSCALL msg=audit(1506168723.591:2342): arch=c000003e syscall=2
> success=no exit=-13 a0=55eea817ec80 a1=0 a2=3e a3=7ffe668ef2a0 items=0
> ppid=1 pid=28956 auid=4294967295 uid=996 gid=994 euid=996 suid=996
> fsuid=996 egid=994 sgid=994 fsgid=994 tty=(none) ses=4294967295
> comm="lighttpd" exe="/usr/sbin/lighttpd"
> subj=system_u:system_r:httpd_t:s0 key=(null)
>
>
> Why isn?t there a simple way to allow access to files as needed?
> Being like this, selinux is entirely unmanagable. Does it even do
> any more good than it keeps getting in the way?
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos
SELinux is a labelling system, every process has a label, every object
on the system has a label. There are rules in the kernel that allow
access between process labels and system object labels, the kernel
enforces the rules.
Some how this content on your system. /srv/data/files_articles, got
labeled as samba content (samba_share_t). Now you want to share it via
lighthttp (httpd_t). If this content is only to be shared via
lighthttpd, you would need to set the label to something that httpd_t
can read.
man http_selinux (selinux-policy-docs rpm)
Will show you the labels.
httpd_sys_content_t is the usually type for httpd read only content.
httpd_sys_content_rw_t is the type for read/write content. There are
commands in the man page that explain how to change the default labels.
If you need to share this content via httpd and samba there are a couple
of label types public_content_t, which allow you to share content with
multiple services. Also explained in the man page.
audit2allow is usually a secondary thing to use when there is no way to
allow access.
http://danwalsh.livejournal.com/30837.html