SELinux and apache

[Typhome]

Hello

I'm going to move from CentOS 6 to CentOS 7.6, but I'm having problem with apache because of SELinux.

Some PHP scripts (like roundcube, file uploader etc) needs writing permissions (uploading file, moving file, writing file etc) that SELinux doesn't allow that by default.

Someone suggested that:

Code: Select all

semanage fcontext -a -t httpd_sys_rw_content_t '/var/www/html(/.*)?'
restorecon -R /var/www/html

Is this good fix, won't that create security hole for attackers? I've seen that everyone suggests disabling SELinux as easy fix, but I prefer not to do that.

Thanks for reply

[TrevorH]

No, that's not a good fix as it applies that to all of /var/www/html and all subdirectories.

If you install the roundcubemail package from the EPEL repo it ought to work out of the box without doing anything. Is that where you got your copy from?

[Typhome]

Well, I get roundcube files from roundcube.net and put them into apache web directory... Some folders (/temp, /logs) in roundcube dir needs writing permissions. But I'm not talking about only roundcube, there are other PHP scripts (uploader, phpBB, CMS etc) that I need to run, but they require writing permissions. What would you recommend?

[TrevorH]

EPEL is what I recommend.

[Typhome]

Thanks for reply. That would solve roundcube problem, but I still need to run other PHP scripts (like file uploader, phpBB, CMS etc) that requires writing permissions, but SELinux isn't allowing it, how I should solve this problem, when this fix that is included in first post is not recommended? EPEL is not solution for this, currently.

[TrevorH]

Well you solve it in the way you solve all selinux problems, by looking in the logs and allowing accesses that should be allowed.

I know for sure that phpBB can be run with selinux enforcing as you're using an instance of it now to read and post here. The first link in the list below should be all that you require to get things working.

Useful resources for SELinux: http://wiki.centos.org/HowTos/SELinux | http://wiki.centos.org/TipsAndTricks/SelinuxBooleans | http://docs.fedoraproject.org/en-US/Fed ... ced_Linux/ | http://www.youtube.com/watch?v=bQqX3RWn0Yw | http://opensource.com/business/13/11/se ... licy-guide | http://freecomputerbooks.com/The-SELinu ... tions.html

[Typhome]

Yes, but not without adding writing permissions... That's why I'm looking for solution that is safe from attackers etc... I just don't have experience with SELinux, hence disabled on CentOS 6. I'll look into them.

[TrevorH]

Put selinux permissive by running setenforce 0 then connect to phpBB. That will generate a lot of entries in /var/log/audit/audit.log that you can grep for avc and pipe into the audit2allow utility. That will make you a policy file that you can then load and it should allow the accesses and then you can run setenforce 1 to go back to enforcing mode. More detailed instructions for doing these things are in the first link I posted - the one to wiki.centos.org.

[hunter86_bg]

To make your life easier , install the following:

Code: Select all

yum -y install setroubleshoot-server

Then run the following after setting the machine in permissive and starting the apache (do some uploads to get further data):

Code: Select all

sealert -a /var/log/audit/audit.log

Then check the proposed solutions with high '%' accuracy. I suppose you will have to create some custom modules.

[Typhome]

Code: Select all

ls -Z
drwxrwxrwx. root root unconfined_u:object_r:httpd_sys_content_t:s0 cache

semanage fcontext -a -t httpd_sys_rw_content_t "/path/to/cache(/.*)?"
restorecon -Rv "/path/to/cache"

ls -Z
drwxrwxrwx. root root unconfined_u:object_r:httpd_sys_rw_content_t:s0 cache

And cache folder is writable for apache. I think that's also correct way to do it. I wonder if I have to do that again when I move folder/files to different path...

/var/log/audit/audit.log contains that:

Code: Select all

type=AVC msg=audit(1544520502.752:18918): avc:  denied  { write } for  pid=18191 comm="httpd" name="cache" dev="md1" ino=52956207 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=dir permissive=1

Code: Select all

grep httpd_t /var/log/audit/audit.log | audit2allow -m test1 > test1.te

test1.te contains that:

Code: Select all

module test1 1.0;

require {
        type httpd_t;
        type httpd_sys_content_t;
        class file { create rename setattr write };
        class dir { add_name create remove_name setattr write };
}

#============= httpd_t ==============

#!!!! This avc can be allowed using the boolean 'httpd_unified'
allow httpd_t httpd_sys_content_t:dir { add_name create remove_name setattr write };

#!!!! This avc can be allowed using the boolean 'httpd_unified'
allow httpd_t httpd_sys_content_t:file { create rename setattr write };

I can't see any defined path (for example "cache" folder)... how it knows that it should give those required permissions to apache for this "cache" folder? Or is it giving those required permissions to apache for all folders/files that is labeled as "httpd_sys_content_t"?