selinux: httpd access on samba share

Support for security such as Firewalls and securing linux
Post Reply
sebastian73
Posts: 3
Joined: 2012/05/24 17:23:02
Location: Buenos Aires, Argentina

selinux: httpd access on samba share

Post by sebastian73 » 2012/05/24 18:29:48

Hi everyone!

I'm new to selinux, and I need some guidance on the correct way to apply policies on my scenario.

The scenario is as follows:
- Samba File server, shares files for Centos 6.2 servers and some Windows workstations. There's no AD o Domain, only smd/unix users.
- Apache Web server, access file server file's directly to a mounted directory between the /var/www/html.
- remote directory is mounted on the web server during boot with a samba user privileges.
- Samba file server is working fine under normal access with windows workstations and the files browsing from the web server shows no problems.
- Samba files are in the samba_share_t context
- No relevant error messages on logs

The problems:
- httpd is reporting intermitent "access denied" to files.

The question:
- Is this type of configurations supported?
- How should I configure Selinux on the web server?

Thanks!!!
Sebastian.

pschaff
Retired Moderator
Posts: 18276
Joined: 2006/12/13 20:15:34
Location: Tidewater, Virginia, North America
Contact:

selinux: httpd access on samba share

Post by pschaff » 2012/05/24 23:08:29

Welcome to the CentOS fora. Please see the recommended reading for new users linked in my signature.

[quote]
sebastian73 wrote:
...
- Samba File server, shares files for Centos 6.2 servers and some Windows workstations. There's no AD o Domain, only smd/unix users.[/quote]
Using Samba between CentOS systems is a bad idea. Use NFS for Linux and Samba for Windows. Samba clients know nothing about SELinux.

[quote]
...
The question:
- Is this type of configurations supported?[/quote]
Not very well.

[quote]
- How should I configure Selinux on the web server?[/quote]
[url=https://www.centos.org/modules/newbb/viewtopic.php?topic_id=37313&forum=56&post_id=162937#forumpost162937]This post[/url] may be helpful. See also the Wiki articles:
[url=http://wiki.centos.org/TipsAndTricks/SelinuxBooleans]TipsAndTricks/SelinuxBooleans[/url]
[url=http://wiki.centos.org/HowTos/SELinux]HowTos/SELinux[/url]

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: selinux: httpd access on samba share

Post by TrevorH » 2012/05/24 23:24:08

I'm afraid that I can't understand your machine mapping description. Is this one machine or two (or more)?

Maybe it'll help if I say that the only files apache should be able to access are of type httpd_sys_content_t and a few other context names that start with httpd_. The only files that samba should be able to access are those labeled with samba_share_t. Both can access files of type public_content_t and public_content_rw_t (the first for read and the second for read/write).

sebastian73
Posts: 3
Joined: 2012/05/24 17:23:02
Location: Buenos Aires, Argentina

Re: selinux: httpd access on samba share

Post by sebastian73 » 2012/05/25 13:37:49

HI, thanks for your interest.
Clarifying your question, there are two virtual server on different kvm hosts.
Regarding the context on the files, I was unable to establish the context of the files on the mounted directory, if I execute an ls -Z there is no context for this files.
On the File server I establish the samba_share_t context.

Sebastian.

pschaff
Retired Moderator
Posts: 18276
Joined: 2006/12/13 20:15:34
Location: Tidewater, Virginia, North America
Contact:

Re: selinux: httpd access on samba share

Post by pschaff » 2012/05/25 14:24:28

[quote]
sebastian73 wrote:
...
Regarding the context on the files, I was unable to establish the context of the files on the mounted directory, if I execute an ls -Z there is no context for this files.[/quote]
If you are still using Samba to export the filesystems that would be the expected result.

[quote]
...
On the File server I establish the samba_share_t context.[/quote]
That's not going to work out of the box for Apache/http even if you do use NFS rather than Samba/CIFS. See the [url=http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Managing_Confined_Services/chap-Managing_Confined_Services-The_Apache_HTTP_Server.html]upstream docs[/url] for more details.

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: selinux: httpd access on samba share

Post by TrevorH » 2012/05/25 14:31:41

[quote]
if I execute an ls -Z there is no context for this files.
[/quote]

Is selinux enabled on both hosts?

sebastian73
Posts: 3
Joined: 2012/05/24 17:23:02
Location: Buenos Aires, Argentina

Re: selinux: httpd access on samba share

Post by sebastian73 » 2012/05/25 14:59:35

Thanks people for your support!
I'll check all the posted documentation, migrate the access method to NFS and reset the selinux config as suggested.

Post Reply