[Solved] selinux - at wits end

[lightman47]

I have server that runs Apache/Mysql using a Perl script which works well for the most part. In the db I have added a Log table that gets used when the log function is turned on in the script. Depending upon the level of the logging, this table can get rather big, so I've also written a function that will 'archive' the contents to a ".html" file and truncate the table. This is where I get into selinux trouble.

The archive files are written to an 'archive/log' subdirectory off of /var/www/cgi-bin with the file permissions set on the archive directory to allow this behavior. My problem is that selinux won't allow it - unless selinux is in permissive mode. I created the directories as root and have run RESTORECON on 'archive' and it's children multiple times trying to remedy this situation, but I think I've actually broken other scripts now that used to work - they did the same thing! I don't remember how I got them to work a couple years back.

The more I read the Red Hat selinux docs, the more confused I get. This context stuff is light years beyond me. What do I need to do to get this all working/back working? Thank you.

Contexts for directories involved:

Code: Select all

[shopdata@wlinux ~]$ sudo ls -Z /var/www/cgi-bin/archive
drwsrwsrwx. root dbjoe system_u:object_r:httpd_sys_script_exec_t:s0 log
drwxrwsrwx. root dbjoe system_u:object_r:httpd_sys_script_exec_t:s0 shoplist

Code: Select all

[shopdata@wlinux ~]$ sudo ls -Z /var/www/cgi-bin/archive/shoplist
drwxrwsrwx. root dbjoe system_u:object_r:httpd_sys_script_exec_t:s0 error
drwxrwsrwx. root dbjoe system_u:object_r:httpd_sys_script_exec_t:s0 log

Code: Select all

[shopdata@wlinux ~]$ sudo ls -Z /var/www/cgi-bin/archive/shoplist/log
-rwxrwxrwx. apache dbjoe system_u:object_r:httpd_sys_script_exec_t:s0 20150425201359User1.html
-rwxrwxrwx. apache dbjoe system_u:object_r:httpd_sys_script_exec_t:s0 20150425201910User1.html
-rwxrwxrwx. apache dbjoe system_u:object_r:httpd_sys_script_exec_t:s0 20150426180415User1.html

[TrevorH]

Your problem is that selinux believes (probably correctly) that nothing should write to /var/www/cgi-bin so it stops it from happening. Can you not pick a different location for the archived copy? Somewhere where it will let you write without special rules. The alternative is to create the rule that will allow it to write there using the semanage utility. For example, if I run semanage fcontext -l | grep "httpd.*rw" to see places where httpd is currently allowed to write, I can see a bunch of places where you could place the archive, none of which look particularly relevant for your purpose. However you could take one of those and copy it and amend it to point to a location that you want to use. Something like

Code: Select all

semanage fcontext -a -t httpd_sys_rw_content_t '/var/www/cgi-bin/archive(/.*)?'

I used your current intended location there but I am not sure that it's the best thing to do, to allow writing to a subdirectory of a place that httpd can execute scripts from! That sounds to me like it could easily be exploited.

[lightman47]

Hmm - I see your point. I could move it all and merely change a couple script variables. I chose this because the variable in the scripts pointed to a relative location from where the script runs, rather than a hard-coded path ... because I thought of 'security'. Obviously, I didn't think about it enough. I guess I'll move the whole archive structure to a data drive and hard-code the variable(s).

Thank you.

Edit:

Moved archive structure to a data drive, used a chcon example from http://wiki.centos.org/HowTos/SELinux, and set selinux to enforcing. Seems to be working fine.