When first deploying SELinux and Apache HTTP, if your configuration varies much from the Fedora Core or Red Hat Enterprise Linux defaults, you will likely run into some problem. This section discusses analyzing policy denials, and doing simple customizations of the policy.
The first major tool for policy customization is system-config-securitylevel. It has a number of policy booleans:
Boolean options for Apache HTTP
- httpd_enable_cgi (Allow httpd cgi support)
Whether or not to allow CGI scripts to run at all.
- httpd_enable_homedirs (Allow httpd to read home directories)
Whether or not to allow Apache HTTP to access top-level home directories. This does not allow for reading of the content of home directories (user_home_t).
- httpd_ssi_exec (Allow httpd to run SSI executables in the same domain as system CGI scripts)
If enabled, this boolean causes Apache HTTP to transition to the httpd_sys_script_t when executing a shell.
- httpd_unified (Unify httpd handling of all content files)
This boolean controls whether httpd_sys_content_t is treated as the union of all the other types such as httpd_sys_script_exec_t. See Section 7, “Using Other Types To Lock Down CGI Scripts”
In addition, you can disable SELinux enforcement for Apache HTTP entirely with system-config-securitylevel.
First, click the SELinux tab.
Click on the tree.
Check Disable SELinux protection for Apache HTTP
Execute /etc/init.d/httpd restart
It is very important to monitor /var/log/messages for any denials due to the SELinux policy. Suppose that you see the following denial:
Oct 19 17:54:59 hostname kernel: audit(1098050626.859:0): avc: denied { write } \
for pid=27422 exe=/usr/bin/python2.3 name=pyblosxom dev=dm-0 ino=4374593 \
scontext=system_u:system_r:httpd_sys_script_t \
tcontext=user_u:object_r:httpd_sys_script_ro_t tclass=dir
The { write } is telling you that the denial involves writing to an object. The tclass=dir says that the object in question is a directory. The two most crucial parts are the scontext and tcontext, which contain the types of the subject (httpd_sys_script_t) and the object (httpd_sys_script_ro_t). Notice there is other auxilliary information as well; since the object is a file, there is its name (pyblosxom) and inode number (4374593).
In other words, the Python CGI script is trying to write to a directory that is marked read-only. There are many reasons this could happen; perhaps the script was misconfigured or buggy, for example. But in this particular case, it turns out that the Python interpreter normally tries to generate .pyc files for each .py file it encounters. If the directory is marked as httpd_sys_script_ro_t, then it will not be able to create new files in it, and you will see the denial. This is a very common problem with Python CGI scripts.
The issue with Python mentioned in Section 8.2, “Policy Debugging” is not an issue with SELinux, since it is Python that is trying to write to a directory of supposedly read-only objects. To deal with these spurious errors that don't effect the functionality of the CGI script, you can direct SELinux to ignore them. SELinux supports a dontaudit directive in the policy sources, but you must rebuild a policy from the source. To install the policy sources, use up2date or yum to install the selinux-policy-targeted-sources package.
To get the rule syntax you need, you can use a audit2allow, which will generate the SELinux policy to allow a set of logged denials. For example, you could invoke audit2allow -i /var/log/messages -l. This generates allow rules for every denial since a policy was last loaded. The output for the denial in Section 8.2, “Policy Debugging” would look like this:
audit2allow -i /var/log/messages -l
allow httpd_sys_script_t httpd_sys_script_ro_t:dir { write };
However, in this case you don't want to actually allow this operation, you simply want to avoid audit messages from it. SELinux supports a directive called dontaudit instead of allow. Now your generated policy is dontaudit httpd_sys_script_t httpd_sys_script_ro_t:dir { write };. To add this to the system policy, follow these steps:
cd /etc/selinux/strict/src/policy
Use your favorite editor to create the file domains/misc/local.te, and add the rule above to it (or echo "dontaudit httpd_sys_script_t httpd_sys_script_ro_t:dir { write };" > domains/misc/local.te).
make reload.
![[Caution]](./stylesheet-images/caution.png) | Analyze audit2allow output carefully |
|---|---|
You should not simply place all of the output from audit2allow in your domains/misc/local.te. It is very easy to compromise the security of your system that way; for example, using allow instead of dontaudit above would have rendered the security from the httpd_sys_script_ro_t type useless. For more information about policy debugging and customization in general, refer to the Red Hat SELinux Policy Guide, available online at http://www.redhat.com/docs. | |