I am trying to bring kmotion under control of SeLinux,
so how can I do it?
1) I tried context httpd_exec_t and httpd_t, but neither seems to work,
so out of the zillions of options which do I use as these files are
apache
and python programs. (See log below):
semanage fcontext -a -t httpd_t '/www/kmotion/www/vhosts/kmotion'
semanage fcontext -a -t httpd_t '/www/kmotion/www/www/cgi_bin'
semanage fcontext -a -t httpd_t '/www/kmotion/www/www/cgi_bin/*'
And these commands seemed to take without any errors reported
but the context of the directory and files remain unchanged:
-rw-r--r--. <me> <me> unconfined_u:object_r:default_t:s0
/www/kmotion/www/vhosts/kmotion
drwxr-xr-x. <me> <me> unconfined_u:object_r:default_t:s0 cgi_bin
-rwxr-xr-x. <me> <me> unconfined_u:object_r:default_t:s0
xmlHttp_arch.py
-rwxr-xr-x. <me> <me> unconfined_u:object_r:default_t:s0
xmlHttp_feeds.py
-rwxr-xr-x. <me> <me> unconfined_u:object_r:default_t:s0
xmlHttp_func.py
-rwxr-xr-x. <me> <me> unconfined_u:object_r:default_t:s0
xmlHttp_load.py
-rwxr-xr-x. <me> <me> unconfined_u:object_r:default_t:s0
xmlHttp_logs.py
-rwxr-xr-x. <me> <me> unconfined_u:object_r:default_t:s0 xmlHttp_out.py
-rwxr-xr-x. <me> <me> unconfined_u:object_r:default_t:s0 xmlHttp_ptz.py
-rwxr-xr-x. <me> <me> unconfined_u:object_r:default_t:s0
xmlHttp_settings_rd.py
-rwxr-xr-x. <me> <me> unconfined_u:object_r:default_t:s0
xmlHttp_settings_wr.py
2) For fun, I also tried these steps for the above files:
chcon -t httpd_t cgi_bin
chcon -t httpd_t cgi_bin/*
And I get: "chcon: failed to change context of <...>: Permission
denied.",
however, http_exec_t seems to take, but does not shut up selinux AVC
denials.
====================================================
The following is what is reported from setroubleshooter tool
====================================================
Summary:
SELinux is preventing /usr/sbin/httpd from using potentially mislabeled
files
/www/kmotion/www/vhosts/kmotion.
Detailed Description:
SELinux has denied the httpd access to potentially mislabeled files
/www/kmotion/www/vhosts/kmotion. This means that SELinux will not allow
httpd to
use these files. If httpd should be allowed this access to these files you
should change the file context to one of the following types,
httpd_mediawiki_htaccess_t, calamaris_www_t, udev_tbl_t, user_cron_spool_t,
httpd_cache_t, httpd_tmp_t, httpd_tmpfs_t, iso9660_t, smokeping_var_lib_t,
shell_exec_t, httpd_w3c_validator_htaccess_t, rpm_tmp_t, mysqld_etc_t,
cvs_data_t, var_lib_t, dirsrvadmin_tmp_t, sendmail_exec_t, cobbler_etc_t,
configfile, httpd_helper_exec_t, dbusd_etc_t, dirsrv_share_t, ld_so_cache_t,
httpd_squirrelmail_t, httpd_php_exec_t, httpd_nagios_htaccess_t, logfile,
httpd_mediawiki_tmp_t, samba_var_t, dirsrv_var_log_t, net_conf_t,
user_tmp_t,
public_content_t, anon_inodefs_t, sysctl_kernel_t, httpd_modules_t,
cert_type,
etc_runtime_t, dirsrv_var_run_t, abrt_var_run_t, httpd_var_lib_t,
httpd_var_run_t, httpd_suexec_exec_t, application_exec_type,
httpd_awstats_htaccess_t, httpd_dirsrvadmin_htaccess_t,
httpd_nutups_cgi_htaccess_t, mailman_cgi_exec_t, gitosis_var_lib_t,
httpd_user_htaccess_t, dirsrvadmin_config_t, user_home_t,
httpd_squid_htaccess_t, chroot_exec_t, httpd_munin_htaccess_t,
sysctl_crypto_t,
httpd_sys_content_t, mailman_archive_t, public_content_rw_t,
httpd_bugzilla_htaccess_t, httpd_cobbler_htaccess_t, mailman_data_t,
httpd_apcupsd_cgi_htaccess_t, system_dbusd_var_lib_t, abrt_t, bin_t,
httpd_cvs_htaccess_t, httpd_git_htaccess_t, httpd_sys_htaccess_t,
squirrelmail_spool_t, httpd_t, lib_t, lib_t, httpd_prewikka_htaccess_t,
usr_t,
passenger_var_lib_t, passenger_var_run_t, cobbler_var_lib_t,
httpd_rotatelogs_exec_t, abrt_helper_exec_t, httpd_smokeping_cgi_htaccess_t,
nagios_etc_t, nagios_log_t, sssd_public_t, httpd_keytab_t, ping_exec_t,
cluster_conf_t, locale_t, httpd_unconfined_script_exec_t, etc_t, fonts_t,
fonts_cache_t, httpd_exec_t, ld_so_t, httpd_lock_t, proc_t, httpd_log_t,
sysfs_t, dirsrv_config_t, textrel_shlib_t, krb5_keytab_t, ssh_exec_t,
passenger_exec_t, krb5_conf_t, fail2ban_var_lib_t, httpd_config_t,
rpm_script_tmp_t, httpd_cobbler_ra_content_t, httpd_cobbler_rw_content_t,
httpd_prewikka_script_exec_t, httpd_munin_ra_content_t,
httpd_munin_rw_content_t, httpd_sys_script_exec_t, httpd_git_script_exec_t,
httpd_cvs_script_exec_t, root_t, user_home_t,
httpd_dirsrvadmin_script_exec_t,
httpd_bugzilla_ra_content_t, httpd_bugzilla_rw_content_t,
httpd_nutups_cgi_script_exec_t, httpd_cvs_ra_content_t,
httpd_cvs_rw_content_t,
httpd_git_ra_content_t, httpd_git_rw_content_t, httpd_nagios_content_t,
httpd_sys_ra_content_t, httpd_sys_rw_content_t,
httpd_w3c_validator_content_t,
httpd_nagios_ra_content_t, httpd_nagios_rw_content_t,
httpd_nutups_cgi_ra_content_t, httpd_nutups_cgi_rw_content_t,
httpd_cobbler_script_exec_t, httpd_mediawiki_script_exec_t,
httpd_smokeping_cgi_script_exec_t, httpd_git_content_t,
httpd_user_content_t,
httpd_mediawiki_ra_content_t, httpd_mediawiki_rw_content_t,
httpd_squid_ra_content_t, httpd_squid_rw_content_t,
httpd_apcupsd_cgi_content_t,
httpd_apcupsd_cgi_ra_content_t, httpd_apcupsd_cgi_rw_content_t,
httpd_prewikka_content_t, httpd_smokeping_cgi_ra_content_t,
httpd_smokeping_cgi_rw_content_t, httpd_munin_content_t,
httpd_squid_content_t,
httpd_smokeping_cgi_content_t, httpd_awstats_script_exec_t,
httpd_cvs_content_t,
httpd_sys_content_t, httpd_dirsrvadmin_ra_content_t,
httpd_dirsrvadmin_rw_content_t, httpd_munin_script_exec_t,
httpd_w3c_validator_script_exec_t, httpd_prewikka_ra_content_t,
httpd_prewikka_rw_content_t, httpd_user_script_exec_t,
httpd_bugzilla_content_t,
httpd_cobbler_content_t, httpd_mediawiki_content_t, krb5_host_rcache_t,
httpd_apcupsd_cgi_script_exec_t, httpd_nagios_script_exec_t,
httpd_dirsrvadmin_content_t, httpd_squid_script_exec_t,
httpd_w3c_validator_ra_content_t, httpd_w3c_validator_rw_content_t,
httpd_awstats_ra_content_t, httpd_awstats_rw_content_t,
httpd_bugzilla_script_exec_t, httpd_awstats_content_t,
httpd_user_ra_content_t,
httpd_user_rw_content_t, httpd_nutups_cgi_content_t. Many third party apps
install html files in directories that SELinux policy cannot predict. These
directories have to be labeled with a file context which httpd can access.
Allowing Access:
If you want to change the file context of /www/kmotion/www/vhosts/kmotion so
that the httpd daemon can access it, you need to execute it using semanage
fcontext -a -t FILE_TYPE '/www/kmotion/www/vhosts/kmotion'.
where FILE_TYPE is one of the following: httpd_mediawiki_htaccess_t,
calamaris_www_t, udev_tbl_t, user_cron_spool_t, httpd_cache_t, httpd_tmp_t,
httpd_tmpfs_t, iso9660_t, smokeping_var_lib_t, shell_exec_t,
httpd_w3c_validator_htaccess_t, rpm_tmp_t, mysqld_etc_t, cvs_data_t,
var_lib_t,
dirsrvadmin_tmp_t, sendmail_exec_t, cobbler_etc_t, configfile,
httpd_helper_exec_t, dbusd_etc_t, dirsrv_share_t, ld_so_cache_t,
httpd_squirrelmail_t, httpd_php_exec_t, httpd_nagios_htaccess_t, logfile,
httpd_mediawiki_tmp_t, samba_var_t, dirsrv_var_log_t, net_conf_t,
user_tmp_t,
public_content_t, anon_inodefs_t, sysctl_kernel_t, httpd_modules_t,
cert_type,
etc_runtime_t, dirsrv_var_run_t, abrt_var_run_t, httpd_var_lib_t,
httpd_var_run_t, httpd_suexec_exec_t, application_exec_type,
httpd_awstats_htaccess_t, httpd_dirsrvadmin_htaccess_t,
httpd_nutups_cgi_htaccess_t, mailman_cgi_exec_t, gitosis_var_lib_t,
httpd_user_htaccess_t, dirsrvadmin_config_t, user_home_t,
httpd_squid_htaccess_t, chroot_exec_t, httpd_munin_htaccess_t,
sysctl_crypto_t,
httpd_sys_content_t, mailman_archive_t, public_content_rw_t,
httpd_bugzilla_htaccess_t, httpd_cobbler_htaccess_t, mailman_data_t,
httpd_apcupsd_cgi_htaccess_t, system_dbusd_var_lib_t, abrt_t, bin_t,
httpd_cvs_htaccess_t, httpd_git_htaccess_t, httpd_sys_htaccess_t,
squirrelmail_spool_t, httpd_t, lib_t, lib_t, httpd_prewikka_htaccess_t,
usr_t,
passenger_var_lib_t, passenger_var_run_t, cobbler_var_lib_t,
httpd_rotatelogs_exec_t, abrt_helper_exec_t, httpd_smokeping_cgi_htaccess_t,
nagios_etc_t, nagios_log_t, sssd_public_t, httpd_keytab_t, ping_exec_t,
cluster_conf_t, locale_t, httpd_unconfined_script_exec_t, etc_t, fonts_t,
fonts_cache_t, httpd_exec_t, ld_so_t, httpd_lock_t, proc_t, httpd_log_t,
sysfs_t, dirsrv_config_t, textrel_shlib_t, krb5_keytab_t, ssh_exec_t,
passenger_exec_t, krb5_conf_t, fail2ban_var_lib_t, httpd_config_t,
rpm_script_tmp_t, httpd_cobbler_ra_content_t, httpd_cobbler_rw_content_t,
httpd_prewikka_script_exec_t, httpd_munin_ra_content_t,
httpd_munin_rw_content_t, httpd_sys_script_exec_t, httpd_git_script_exec_t,
httpd_cvs_script_exec_t, root_t, user_home_t,
httpd_dirsrvadmin_script_exec_t,
httpd_bugzilla_ra_content_t, httpd_bugzilla_rw_content_t,
httpd_nutups_cgi_script_exec_t, httpd_cvs_ra_content_t,
httpd_cvs_rw_content_t,
httpd_git_ra_content_t, httpd_git_rw_content_t, httpd_nagios_content_t,
httpd_sys_ra_content_t, httpd_sys_rw_content_t,
httpd_w3c_validator_content_t,
httpd_nagios_ra_content_t, httpd_nagios_rw_content_t,
httpd_nutups_cgi_ra_content_t, httpd_nutups_cgi_rw_content_t,
httpd_cobbler_script_exec_t, httpd_mediawiki_script_exec_t,
httpd_smokeping_cgi_script_exec_t, httpd_git_content_t,
httpd_user_content_t,
httpd_mediawiki_ra_content_t, httpd_mediawiki_rw_content_t,
httpd_squid_ra_content_t, httpd_squid_rw_content_t,
httpd_apcupsd_cgi_content_t,
httpd_apcupsd_cgi_ra_content_t, httpd_apcupsd_cgi_rw_content_t,
httpd_prewikka_content_t, httpd_smokeping_cgi_ra_content_t,
httpd_smokeping_cgi_rw_content_t, httpd_munin_content_t,
httpd_squid_content_t,
httpd_smokeping_cgi_content_t, httpd_awstats_script_exec_t,
httpd_cvs_content_t,
httpd_sys_content_t, httpd_dirsrvadmin_ra_content_t,
httpd_dirsrvadmin_rw_content_t, httpd_munin_script_exec_t,
httpd_w3c_validator_script_exec_t, httpd_prewikka_ra_content_t,
httpd_prewikka_rw_content_t, httpd_user_script_exec_t,
httpd_bugzilla_content_t,
httpd_cobbler_content_t, httpd_mediawiki_content_t, krb5_host_rcache_t,
httpd_apcupsd_cgi_script_exec_t, httpd_nagios_script_exec_t,
httpd_dirsrvadmin_content_t, httpd_squid_script_exec_t,
httpd_w3c_validator_ra_content_t, httpd_w3c_validator_rw_content_t,
httpd_awstats_ra_content_t, httpd_awstats_rw_content_t,
httpd_bugzilla_script_exec_t, httpd_awstats_content_t,
httpd_user_ra_content_t,
httpd_user_rw_content_t, httpd_nutups_cgi_content_t. You can look at the
httpd_selinux man page for additional information.
Additional Information:
Source Context system_u:system_r:httpd_t:s0-s0:c0.c1023
Target Context unconfined_u:object_r:default_t:s0
Target Objects /www/kmotion/www/vhosts/kmotion [ file ]
Source httpd
Source Path /usr/sbin/httpd
Port <Unknown>
Host <
host>.<domain>.com
Source RPM Packages httpd-2.2.17-1.fc13.1
Target RPM Packages
Policy RPM selinux-policy-3.7.19-101.fc13
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Plugin Name httpd_bad_labels
Host Name <
host>.<domain>.com
Platform Linux <
host>.<domain>.com
2.6.34.9-69.fc13.i686 #1 SMP
Tue May 3 09:20:30 UTC 2011 i686 i686
Alert Count 1
First Seen Thu 23 Jun 2011 03:53:08 AM PDT
Last Seen Thu 23 Jun 2011 03:53:08 AM PDT
Local ID 6611a91e-3b6b-4ed8-9ac1-a6bf0d08f5ca
Line Numbers
Raw Audit Messages
node=<host>.<domain>.com type=AVC msg=audit(1308826388.806:65944): avc:
denied { getattr } for pid=28408 comm="httpd"
path="/www/kmotion/www/vhosts/kmotion" dev=sda10 ino=5637335
scontext=system_u:system_r:httpd_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:default_t:s0 tclass=file
node=<host>.<domain>.com type=SYSCALL msg=audit(1308826388.806:65944):
arch=40000003 syscall=195 success=yes exit=0 a0=176fa30 a1=bf903050
a2=994ff4 a3=8000 items=0 ppid=28407 pid=28408 auid=0 uid=0 gid=0 euid=0
suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=335 comm="httpd"
exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0-s0:c0.c1023
key=(null)