Page 1 of 1

SELinux drives me up the wall!

Posted: 2012/01/04 03:14:38
by MarkehMe
Hey there, SELinux is driving me up the walls, is anyone able to help me out I'd greatly appreciate it.

My server is running cPanel, and we're trying our best to get SELinux running. We're only having a few problems though:
[code]audit2allow -dv


#============= dovecot_auth_t ==============
# src="dovecot_auth_t" tgt="bin_t" class="file", perms="{ read execute execute_no_trans }"
# comm="dovecot-auth" exe="" path=""
allow dovecot_auth_t bin_t:file { read execute execute_no_trans };
# src="dovecot_auth_t" tgt="initrc_t" class="unix_stream_socket", perms="connectto"
# comm="dovecot-auth" exe="" path=""
allow dovecot_auth_t initrc_t:unix_stream_socket connectto;
# src="dovecot_auth_t" tgt="var_run_t" class="sock_file", perms="{ write getattr }"
# comm="dovecot-auth" exe="" path=""
allow dovecot_auth_t var_run_t:sock_file { write getattr };
# src="dovecot_auth_t" tgt="var_t" class="file", perms="{ read write getattr }"
# comm="dovecot-auth" exe="" path=""
allow dovecot_auth_t var_t:file { read write getattr };

#============= dovecot_t ==============
# src="dovecot_t" tgt="dovecot_var_run_t" class="lnk_file", perms="{ create unlink }"
# comm="dovecot" exe="" path=""
allow dovecot_t dovecot_var_run_t:lnk_file { create unlink };
# src="dovecot_t" tgt="dovecot_t" class="process", perms="setcap"
# comm="dovecot" exe="" path=""
allow dovecot_t self:process setcap;
# src="dovecot_t" tgt="var_t" class="file", perms="{ read getattr }"
# comm="dovecot" exe="" path=""
allow dovecot_t var_t:file { read getattr };

#============= hwclock_t ==============
# src="hwclock_t" tgt="file_t" class="file", perms="{ read getattr }"
# comm="hwclock" exe="" path=""
allow hwclock_t file_t:file { read getattr };

#============= ifconfig_t ==============
# src="ifconfig_t" tgt="initrc_tmp_t" class="file", perms="write"
# comm="ifconfig" exe="" path=""
allow ifconfig_t initrc_tmp_t:file write;
# src="ifconfig_t" tgt="usr_t" class="file", perms="append"
# comm="ifconfig" exe="" path=""
allow ifconfig_t usr_t:file append;
# src="ifconfig_t" tgt="var_t" class="file", perms="read"
# comm="ifconfig" exe="" path=""
allow ifconfig_t var_t:file read;

#============= initrc_t ==============
# src="initrc_t" tgt="lib_t" class="file", perms="execmod"
# comm="php" exe="" path=""
allow initrc_t lib_t:file execmod;
# src="initrc_t" tgt="usr_t" class="file", perms="execmod"
# comm="php" exe="" path=""
allow initrc_t usr_t:file execmod;

#============= named_t ==============
# src="named_t" tgt="named_zone_t" class="dir", perms="write"
# comm="named" exe="" path=""
allow named_t named_zone_t:dir write;
# src="named_t" tgt="var_run_t" class="file", perms="write"
# comm="named-checkconf" exe="" path=""
allow named_t var_run_t:file write;

#============= pam_console_t ==============
# src="pam_console_t" tgt="file_t" class="file", perms="{ read getattr }"
# comm="pam_console_app" exe="" path=""
allow pam_console_t file_t:file { read getattr };

#============= setroubleshootd_t ==============
# src="setroubleshootd_t" tgt="lib_t" class="dir", perms="{ write remove_name add_name }"
# comm="setroubleshootd" exe="" path=""
allow setroubleshootd_t lib_t:dir { write remove_name add_name };
# src="setroubleshootd_t" tgt="lib_t" class="file", perms="{ write create unlink }"
# comm="setroubleshootd" exe="" path=""
allow setroubleshootd_t lib_t:file { write create unlink };

#============= spamd_t ==============
# src="spamd_t" tgt="spamd_t" class="process", perms="setrlimit"
# comm="spamd" exe="" path=""
allow spamd_t self:process setrlimit;
# src="spamd_t" tgt="spamd_var_lib_t" class="file", perms="execute"
# comm="spamd" exe="" path=""
allow spamd_t spamd_var_lib_t:file execute;
# src="spamd_t" tgt="var_run_t" class="file", perms="{ write ioctl }"
# comm="spamd" exe="" path=""
allow spamd_t var_run_t:file { write ioctl };

#============= system_mail_t ==============
# src="system_mail_t" tgt="usr_t" class="file", perms="{ read getattr ioctl }"
# comm="exim" exe="" path=""
allow system_mail_t usr_t:file { read getattr ioctl };

#============= unconfined_t ==============
# src="unconfined_t" tgt="lib_t" class="file", perms="execmod"
# comm="php" exe="" path=""
allow unconfined_t lib_t:file execmod;
# src="unconfined_t" tgt="usr_t" class="file", perms="execmod"
# comm="php" exe="" path=""
allow unconfined_t usr_t:file execmod;[/code]

If you want something a bit more ugly: http://pastebin.com/EhmtMwnC

SELinux would be a great way for us to allow users to have SSH access to our server without having them access file's they don't need, and open up PHP functions such as popen and shell_exec (we basically want to limit what bash commands they can access, and what files they can access).

Thanks for your time!

SELinux drives me up the wall!

Posted: 2012/01/04 03:36:57
by pschaff
Welcome to the CentOS fora. Please see the recommended reading for new users linked in my signature.

Sorry, but if you have a specific question it escapes me. :-)

Re: SELinux drives me up the wall!

Posted: 2012/01/10 18:32:21
by Black_Heart
Not knowing anything about running a public server, I'll nonetheless offer an opinion. You will never get cPanel to work with SElinux.

Any NAT, firewall or internal IP's have to be disabled in order to use cPanel. cPanel has to be installed onto a fresh server-install BEFORE a desktop, gui stuff or, especially SElinux, is installed. The beauty of all this is that the only way to fix things will be to wipe the harddrive(s) and start over. If I am wrong, I apologize. But I'm not.

http://docs.cpanel.net/twiki/bin/view/AllDocumentation/InstallationGuide/Quick-StartInstallationGuide
http://docs.cpanel.net/twiki/bin/view/AllDocumentation/InstallationGuide/TroubleShooting


Just found the nail in the coffin:
http://docs.cpanel.net/twiki/bin/view/11_28/InstallationGuide/Quick-StartInstallationGuide#Disable SELinux Security Feature

Re: SELinux drives me up the wall!

Posted: 2012/01/10 18:43:46
by pschaff
A fresh server install will include SELinux unless one goes to a lot of trouble to exclude it. Those links and statements seem to me to be reasons to avoid cPanel and similar control panels. To see some of the many issues with such products just try a [url=https://www.centos.org/search.php?query=cpanel&mid=30&action=showall&andor=AND]forum search for cPanel[/url].

Re: SELinux drives me up the wall!

Posted: 2012/01/10 18:51:48
by Black_Heart
[quote]
pschaff wrote:
...Those links and statements seem to me to be reasons to avoid cPanel and similar control panels. To see some of the many issues with such products just try a [url=https://www.centos.org/search.php?query=cpanel&mid=30&action=showall&andor=AND]forum search for cPanel[/url].[/quote]

Righto. Why would anyone want to use a server such as cPanel? The thing sounds like a security disaster in waiting.