[Novalug] Selinux: to disable or not

Dan Lavu dan at lavu.net
Sun Mar 11 13:16:42 EDT 2012 

Jay,

 

I second that, I don't think your issue is with SELinux. SELinux is like a
highly tunable "Windows Policy" for Linux. If you ever dealt with Group
Policy Objects (GPOs) before, trying to find something you can relate to.
For all the major daemons, DNS, postfix, httpd you can bet your ass that
there is a default policy already created, otherwise SELinux would be a
total nightmare.  

 

So an example of what SELinux does be default, let's look at httpd, SELinux
will prevent the httpd system user to write to any unauthorized files,
anything outside the scope of what it should be doing and it will be denied
and the output is logged to /var/log/audit/audit.log (very difficult to
read, they're so many tools to parse through it, audit2why is one of them.
By default it only managed two things, file context and user restrictions.
SELinux has an entirely different subset of users, (I hope my spacing
doesn't break)

 

[root at mainframe:~]# semanage user -l

 

                                                Labeling
MLS/                       MLS/                          

SELinux User                           Prefix     MCS Level
MCS Range                             SELinux Roles

guest_u                                   user         s0
s0                                            guest_r

root                                         user         s0
s0-s0:c0.c1023                        staff_r sysadm_r system_r unconfined_r

staff_u                                    user         s0
s0-s0:c0.c1023                        staff_r sysadm_r system_r unconfined_r

sysadm_u                                user         s0
s0-s0:c0.c1023                        sysadm_r

system_u                                user         s0
s0-s0:c0.c1023                       system_r unconfined_r

unconfined_u                          user         s0
s0-s0:c0.c1023                        system_r unconfined_r

user_u                                     user         s0
s0                                            user_r

 

[root at mainframe:/var/www]# ls -lZ 

drwxr-xr-x. root root system_u:object_r:httpd_sys_script_exec_t:s0 cgi-bin

drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 error

drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 html

drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 icons

 

So as you can see above, -Z is your SELinux companion. So, unconfined_u is a
user with no restrictions, system_u is a system user, the
httpd_sys_content_t is the file context. Adding the context to this folder
and files permits the files to be publicly viewable, 'chcon -t
httpd_sys_content_t $file' to test (resets at reboot), semanage fcontext -u
$user -t $context file (I think it is, it's close to that). You can see the
policy target in /etc/selinux/target (It's a difficult to parse through) I'd
recommend using the GUI tool. 

 

One more thing, to make things easier, they're booleans you can enable that
does a lot of the stuff for you. If you look in /selinux/booleans

 

[root at mainframe:/selinux/booleans]# ls | grep http

allow_httpd_anon_write

allow_httpd_mod_auth_ntlm_winbind

allow_httpd_mod_auth_pam

allow_httpd_sys_script_anon_write

httpd_builtin_scripting

httpd_can_check_spam

httpd_can_network_connect

httpd_can_network_connect_cobbler

httpd_can_network_connect_db

httpd_can_network_memcache

httpd_can_network_relay

httpd_can_sendmail

httpd_dbus_avahi

httpd_enable_cgi

httpd_enable_ftp_server

httpd_enable_homedirs

httpd_execmem

httpd_read_user_content

httpd_setrlimit

httpd_ssi_exec

httpd_tmp_exec

httpd_tty_comm

httpd_unified

httpd_use_cifs

httpd_use_gpg

httpd_use_nfs

 

"Hrmmm.. CGI isn't working, do I have to modify the policy? Or should I just
disable it?" Most people go with the latter, but all you have to do is
'setsebool -P httpd_enabled_cgi on' and you're done. 

 

I hope this clears things up. 

 

Dan

 

-----Original Message-----
From: novalug-bounces at calypso.tux.org
[mailto:novalug-bounces at calypso.tux.org] On Behalf Of Nick Danger
Sent: Sunday, March 11, 2012 9:35 AM
To: novalug at calypso.tux.org
Subject: Re: [Novalug] Selinux: to disable or not

 

 

"relablebling" I think its called, which sets the contexts on files. (do an
ls -lZ to see file contexts) It doesn't touch config files.

 

Permissive = Disabled with warnings, so they work the same. There is no
difference between a "setenforce 0" and a "selinux=permissive" with reboot.

 

Sounds more like a config issue then an SElinux issue. What kind of errors
are you seeing? Anything in /var/log/messages, or since its a web program
/var/log/httm/error_log?

 

Nick

 

On 03/11/2012 08:08 AM, Jay Hart wrote:

> TOP POSTED, NEW QUESTION:

> 

> If you disable selinux and reboot box, then re-enable selinux and 

> reboot box, selinux goes through some sort of "process" involving 

> target policy (I did not catch what this was, sorry).

> 

> Question:  During this process, does it (selinux) revert any 

> configuration changes made to config files?

> 

> I'm trying to understand why it seems like some of files may have been
tweaked!!!

> 

> (And no, I don't have any cats that like to walk on keyboards, and if 

> I did have a cat, I would only allow them a M$soft Windows login.)

> 

> Jay

> 

>> 

>>> On 03/10/2012 10:38 PM, Jay Hart wrote:

>>>> I "may" need to disable selinux to get my smtp server working.  Do 

>>>> most people just disable it?

>>>> 

>>>> I had everything working, then re-enabled selinux, broke the smtp 

>>>> link through squirrelmail.

>>> Do most people? Unfortunately yes. Would I? Not if I can avoid it!

>>> 

>>> If you think the problem really is selinux related, simply do

>>> "setenforce 0" at a root prompt. Then test your functionality. If it all

>>> works good then, put it back on "setenforce 1" and see what happens.

>>> 

>>> Since this is an internet facing server doing mail/web, I really think

>>> you are better off making selinux work for you. Once you are sure its

>>> it, I am sure we can all give you some tips on solving it.

>>> 

>>> Also, where did you get the squirrelmail package? If it came from an odd

>>> source, then its possible it wasn't compiled with selinux enforced. Its

>>> one of the reason I try to stick to EPEL and stock packages.

>>> 

>>> Nick

>>> 

>> Got it from EPEL.  I had it working, Either I "broke" it again enabling

>> firewall or selinux.  I'm trying to reset the settings within
squirrelmail

>> now.

>> 

>> I tried setenforce 0, didn't fix it but since the mode went from
enforcing to

>> permissive, I figured maybe still some interference so I totally disabled

>> selinux and rebooted the box. Its (the SMTP server) still not working, so

>> maybe selinux is not my problem...

>> 

>> Jay

>> 

>> _______________________________________________

>> Novalug mailing list

>>  <mailto:Novalug at calypso.tux.org> Novalug at calypso.tux.org

>>  <http://calypso.tux.org/mailman/listinfo/novalug>
http://calypso.tux.org/mailman/listinfo/novalug

>> 

> 

> _______________________________________________

> Novalug mailing list

>  <mailto:Novalug at calypso.tux.org> Novalug at calypso.tux.org

>  <http://calypso.tux.org/mailman/listinfo/novalug>
http://calypso.tux.org/mailman/listinfo/novalug

 

_______________________________________________

Novalug mailing list

 <mailto:Novalug at calypso.tux.org> Novalug at calypso.tux.org

 <http://calypso.tux.org/mailman/listinfo/novalug>
http://calypso.tux.org/mailman/listinfo/novalug

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://calypso.tux.org/pipermail/novalug/attachments/20120311/93381b40/attachment-0001.html

More information about the Novalug mailing list