Hi everyone!
I'm new to selinux, and I need some guidance on the correct way to apply policies on my scenario.
The scenario is as follows:
- Samba File server, shares files for Centos 6.2 servers and some Windows workstations. There's no AD o Domain, only smd/unix users.
- Apache Web server, access file server file's directly to a mounted directory between the /var/www/html.
- remote directory is mounted on the web server during boot with a samba user privileges.
- Samba file server is working fine under normal access with windows workstations and the files browsing from the web server shows no problems.
- Samba files are in the samba_share_t context
- No relevant error messages on logs
The problems:
- httpd is reporting intermitent "access denied" to files.
The question:
- Is this type of configurations supported?
- How should I configure Selinux on the web server?
Thanks!!!
Sebastian.
selinux: httpd access on samba share
-
- Posts: 3
- Joined: 2012/05/24 17:23:02
- Location: Buenos Aires, Argentina
-
- Retired Moderator
- Posts: 18276
- Joined: 2006/12/13 20:15:34
- Location: Tidewater, Virginia, North America
- Contact:
selinux: httpd access on samba share
Welcome to the CentOS fora. Please see the recommended reading for new users linked in my signature.
[quote]
sebastian73 wrote:
...
- Samba File server, shares files for Centos 6.2 servers and some Windows workstations. There's no AD o Domain, only smd/unix users.[/quote]
Using Samba between CentOS systems is a bad idea. Use NFS for Linux and Samba for Windows. Samba clients know nothing about SELinux.
[quote]
...
The question:
- Is this type of configurations supported?[/quote]
Not very well.
[quote]
- How should I configure Selinux on the web server?[/quote]
[url=https://www.centos.org/modules/newbb/viewtopic.php?topic_id=37313&forum=56&post_id=162937#forumpost162937]This post[/url] may be helpful. See also the Wiki articles:
[url=http://wiki.centos.org/TipsAndTricks/SelinuxBooleans]TipsAndTricks/SelinuxBooleans[/url]
[url=http://wiki.centos.org/HowTos/SELinux]HowTos/SELinux[/url]
[quote]
sebastian73 wrote:
...
- Samba File server, shares files for Centos 6.2 servers and some Windows workstations. There's no AD o Domain, only smd/unix users.[/quote]
Using Samba between CentOS systems is a bad idea. Use NFS for Linux and Samba for Windows. Samba clients know nothing about SELinux.
[quote]
...
The question:
- Is this type of configurations supported?[/quote]
Not very well.
[quote]
- How should I configure Selinux on the web server?[/quote]
[url=https://www.centos.org/modules/newbb/viewtopic.php?topic_id=37313&forum=56&post_id=162937#forumpost162937]This post[/url] may be helpful. See also the Wiki articles:
[url=http://wiki.centos.org/TipsAndTricks/SelinuxBooleans]TipsAndTricks/SelinuxBooleans[/url]
[url=http://wiki.centos.org/HowTos/SELinux]HowTos/SELinux[/url]
Re: selinux: httpd access on samba share
I'm afraid that I can't understand your machine mapping description. Is this one machine or two (or more)?
Maybe it'll help if I say that the only files apache should be able to access are of type httpd_sys_content_t and a few other context names that start with httpd_. The only files that samba should be able to access are those labeled with samba_share_t. Both can access files of type public_content_t and public_content_rw_t (the first for read and the second for read/write).
Maybe it'll help if I say that the only files apache should be able to access are of type httpd_sys_content_t and a few other context names that start with httpd_. The only files that samba should be able to access are those labeled with samba_share_t. Both can access files of type public_content_t and public_content_rw_t (the first for read and the second for read/write).
-
- Posts: 3
- Joined: 2012/05/24 17:23:02
- Location: Buenos Aires, Argentina
Re: selinux: httpd access on samba share
HI, thanks for your interest.
Clarifying your question, there are two virtual server on different kvm hosts.
Regarding the context on the files, I was unable to establish the context of the files on the mounted directory, if I execute an ls -Z there is no context for this files.
On the File server I establish the samba_share_t context.
Sebastian.
Clarifying your question, there are two virtual server on different kvm hosts.
Regarding the context on the files, I was unable to establish the context of the files on the mounted directory, if I execute an ls -Z there is no context for this files.
On the File server I establish the samba_share_t context.
Sebastian.
-
- Retired Moderator
- Posts: 18276
- Joined: 2006/12/13 20:15:34
- Location: Tidewater, Virginia, North America
- Contact:
Re: selinux: httpd access on samba share
[quote]
sebastian73 wrote:
...
Regarding the context on the files, I was unable to establish the context of the files on the mounted directory, if I execute an ls -Z there is no context for this files.[/quote]
If you are still using Samba to export the filesystems that would be the expected result.
[quote]
...
On the File server I establish the samba_share_t context.[/quote]
That's not going to work out of the box for Apache/http even if you do use NFS rather than Samba/CIFS. See the [url=http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Managing_Confined_Services/chap-Managing_Confined_Services-The_Apache_HTTP_Server.html]upstream docs[/url] for more details.
sebastian73 wrote:
...
Regarding the context on the files, I was unable to establish the context of the files on the mounted directory, if I execute an ls -Z there is no context for this files.[/quote]
If you are still using Samba to export the filesystems that would be the expected result.
[quote]
...
On the File server I establish the samba_share_t context.[/quote]
That's not going to work out of the box for Apache/http even if you do use NFS rather than Samba/CIFS. See the [url=http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Managing_Confined_Services/chap-Managing_Confined_Services-The_Apache_HTTP_Server.html]upstream docs[/url] for more details.
Re: selinux: httpd access on samba share
[quote]
if I execute an ls -Z there is no context for this files.
[/quote]
Is selinux enabled on both hosts?
if I execute an ls -Z there is no context for this files.
[/quote]
Is selinux enabled on both hosts?
-
- Posts: 3
- Joined: 2012/05/24 17:23:02
- Location: Buenos Aires, Argentina
Re: selinux: httpd access on samba share
Thanks people for your support!
I'll check all the posted documentation, migrate the access method to NFS and reset the selinux config as suggested.
I'll check all the posted documentation, migrate the access method to NFS and reset the selinux config as suggested.