Hi,
how do I allow lighttpd access to a directory like this:
dr-xrwxr-x. lighttpd example unconfined_u:object_r:samba_share_t:s0 files_articles
I tried to create and install a selinux module, and it didn´t work. The non-working module can not be removed, either:
semodule -r lighttpd-files_articles.pp libsemanage.semanage_direct_remove_key: Unable to remove module lighttpd-files_articles.pp at priority 400. (No such file or directory). semodule: Failed!
Currently, only read access is required. Write access may be required later.
type=AVC msg=audit(1506168999.456:2350): avc: denied { getattr } for pid=28956 comm="lighttpd" path="/srv/data/files_articles/C3E3FC7C-6ABE-11E6-9BF7-9CD580EF3FB5" dev="sde" ino=22694488368 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:samba_share_t:s0 tclass=file type=SYSCALL msg=audit(1506168999.456:2350): arch=c000003e syscall=4 success=yes exit=0 a0=55eea817ec80 a1=7ffe668ef300 a2=7ffe668ef300 a3=7ffe668ef270 items=0 ppid=1 pid=28956 auid=4294967295 uid=996 gid=994 euid=996 suid=996 fsuid=996 egid=994 sgid=994 fsgid=994 tty=(none) ses=4294967295 comm="lighttpd" exe="/usr/sbin/lighttpd" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1506168999.456:2351): avc: denied { open } for pid=28956 comm="lighttpd" path="/srv/data/files_articles/C3E3FC7C-6ABE-11E6-9BF7-9CD580EF3FB5" dev="sde" ino=22694488368 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:samba_share_t:s0 tclass=file type=SYSCALL msg=audit(1506168999.456:2351): arch=c000003e syscall=2 success=yes exit=9 a0=55eea817ec80 a1=0 a2=3e a3=7ffe668ef270 items=0 ppid=1 pid=28956 auid=4294967295 uid=996 gid=994 euid=996 suid=996 fsuid=996 egid=994 sgid=994 fsgid=994 tty=(none) ses=4294967295 comm="lighttpd" exe="/usr/sbin/lighttpd" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1506168723.591:2342): avc: denied { read } for pid=28956 comm="lighttpd" name="C3E3FC7C-6ABE-11E6-9BF7-9CD580EF3FB5" dev="sde" ino=22694488368 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:samba_share_t:s0 tclass=file type=SYSCALL msg=audit(1506168723.591:2342): arch=c000003e syscall=2 success=no exit=-13 a0=55eea817ec80 a1=0 a2=3e a3=7ffe668ef2a0 items=0 ppid=1 pid=28956 auid=4294967295 uid=996 gid=994 euid=996 suid=996 fsuid=996 egid=994 sgid=994 fsgid=994 tty=(none) ses=4294967295 comm="lighttpd" exe="/usr/sbin/lighttpd" subj=system_u:system_r:httpd_t:s0 key=(null)
Why isn´t there a simple way to allow access to files as needed? Being like this, selinux is entirely unmanagable. Does it even do any more good than it keeps getting in the way?
On 09/23/2017 08:37 AM, hw wrote:
Hi,
how do I allow lighttpd access to a directory like this:
dr-xrwxr-x. lighttpd example unconfined_u:object_r:samba_share_t:s0 files_articles
I tried to create and install a selinux module, and it didn´t work. The non-working module can not be removed, either:
semodule -r lighttpd-files_articles.pp libsemanage.semanage_direct_remove_key: Unable to remove module lighttpd-files_articles.pp at priority 400. (No such file or directory). semodule: Failed!
Currently, only read access is required. Write access may be required later.
type=AVC msg=audit(1506168999.456:2350): avc: denied { getattr } for pid=28956 comm="lighttpd" path="/srv/data/files_articles/C3E3FC7C-6ABE-11E6-9BF7-9CD580EF3FB5" dev="sde" ino=22694488368 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:samba_share_t:s0 tclass=file type=SYSCALL msg=audit(1506168999.456:2350): arch=c000003e syscall=4 success=yes exit=0 a0=55eea817ec80 a1=7ffe668ef300 a2=7ffe668ef300 a3=7ffe668ef270 items=0 ppid=1 pid=28956 auid=4294967295 uid=996 gid=994 euid=996 suid=996 fsuid=996 egid=994 sgid=994 fsgid=994 tty=(none) ses=4294967295 comm="lighttpd" exe="/usr/sbin/lighttpd" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1506168999.456:2351): avc: denied { open } for pid=28956 comm="lighttpd" path="/srv/data/files_articles/C3E3FC7C-6ABE-11E6-9BF7-9CD580EF3FB5" dev="sde" ino=22694488368 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:samba_share_t:s0 tclass=file type=SYSCALL msg=audit(1506168999.456:2351): arch=c000003e syscall=2 success=yes exit=9 a0=55eea817ec80 a1=0 a2=3e a3=7ffe668ef270 items=0 ppid=1 pid=28956 auid=4294967295 uid=996 gid=994 euid=996 suid=996 fsuid=996 egid=994 sgid=994 fsgid=994 tty=(none) ses=4294967295 comm="lighttpd" exe="/usr/sbin/lighttpd" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1506168723.591:2342): avc: denied { read } for pid=28956 comm="lighttpd" name="C3E3FC7C-6ABE-11E6-9BF7-9CD580EF3FB5" dev="sde" ino=22694488368 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:samba_share_t:s0 tclass=file type=SYSCALL msg=audit(1506168723.591:2342): arch=c000003e syscall=2 success=no exit=-13 a0=55eea817ec80 a1=0 a2=3e a3=7ffe668ef2a0 items=0 ppid=1 pid=28956 auid=4294967295 uid=996 gid=994 euid=996 suid=996 fsuid=996 egid=994 sgid=994 fsgid=994 tty=(none) ses=4294967295 comm="lighttpd" exe="/usr/sbin/lighttpd" subj=system_u:system_r:httpd_t:s0 key=(null)
Why isn´t there a simple way to allow access to files as needed? Being like this, selinux is entirely unmanagable. Does it even do any more good than it keeps getting in the way? _______________________________________________ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
SELinux is a labelling system, every process has a label, every object on the system has a label. There are rules in the kernel that allow access between process labels and system object labels, the kernel enforces the rules.
Some how this content on your system. /srv/data/files_articles, got labeled as samba content (samba_share_t). Now you want to share it via lighthttp (httpd_t). If this content is only to be shared via lighthttpd, you would need to set the label to something that httpd_t can read.
man http_selinux (selinux-policy-docs rpm)
Will show you the labels.
httpd_sys_content_t is the usually type for httpd read only content. httpd_sys_content_rw_t is the type for read/write content. There are commands in the man page that explain how to change the default labels.
If you need to share this content via httpd and samba there are a couple of label types public_content_t, which allow you to share content with multiple services. Also explained in the man page.
audit2allow is usually a secondary thing to use when there is no way to allow access.
On Sat, Sep 23, 2017 at 5:37 AM, hw hw@gc-24.de wrote:
how do I allow lighttpd access to a directory like this:
dr-xrwxr-x. lighttpd example unconfined_u:object_r:samba_share_t:s0 files_articles
setenforce permissive tail -f /var/log/audit/audit.log | grep AVC | audit2allow -m <module name>
... do whatever you want to allow, then kill "tail -f" ...
setenforce enforcing
I tried to create and install a selinux module, and it didn´t work.
What did you try?
The non-working module can not be removed, either:
semodule -r lighttpd-files_articles.pp
You can get a list of installed modules using "semodule -l". Module names don't have a ".pp" suffix, typically.
-
Daniel Walsh -
Gordon Messmer -
hw