[gentoo-hardened] apache2 selinux

public inbox for gentoo-hardened@lists.gentoo.org
 help / color / mirror / Atom feed

* [gentoo-hardened] apache2 selinux
@ 2009-03-19 22:02 Jeff Rooney
  2009-03-20 13:05 ` Chris PeBenito
  0 siblings, 1 reply; 3+ messages in thread
From: Jeff Rooney @ 2009-03-19 22:02 UTC (permalink / raw
  To: gentoo-hardened

[-- Attachment #1: Type: text/plain, Size: 2341 bytes --]

I just installed a fresh copy of the gentoo and figured I'd give selinux a
shot and think that I have hammered out most of my issues, but have a quick
question. I have selinux running in targeted/enforcing mode but for some
reason apache is staying in the wrong context:

# ps fauxZ | grep apache2
unconfined_u:unconfined_r:unconfined_t root 7167 0.0  0.0  3836   572
pts/0    S+   16:59   0:00          \_ grep --colour=auto apache2
user_u:system_r:initrc_t        root      7153  0.0  0.0 152376  5912
?        Ss   16:55   0:00 /usr/sbin/apache2 -D DEFAULT_VHOST -D INFO -D
LANGUAGE -D PHP5 -d /usr/lib64/apache2 -f /etc/apache2/httpd.conf -k start
user_u:system_r:initrc_t        apache    7155  0.0  0.0 152376  3784
?        S    16:55   0:00  \_ /usr/sbin/apache2 -D DEFAULT_VHOST -D INFO -D
LANGUAGE -D PHP5 -d /usr/lib64/apache2 -f /etc/apache2/httpd.conf -k start
user_u:system_r:initrc_t        apache    7156  0.0  0.0 152376  3784
?        S    16:55   0:00  \_ /usr/sbin/apache2 -D DEFAULT_VHOST -D INFO -D
LANGUAGE -D PHP5 -d /usr/lib64/apache2 -f /etc/apache2/httpd.conf -k start
user_u:system_r:initrc_t        apache    7157  0.0  0.0 152376  3784
?        S    16:55   0:00  \_ /usr/sbin/apache2 -D DEFAULT_VHOST -D INFO -D
LANGUAGE -D PHP5 -d /usr/lib64/apache2 -f /etc/apache2/httpd.conf -k start
user_u:system_r:initrc_t        apache    7158  0.0  0.0 152376  3784
?        S    16:55   0:00  \_ /usr/sbin/apache2 -D DEFAULT_VHOST -D INFO -D
LANGUAGE -D PHP5 -d /usr/lib64/apache2 -f /etc/apache2/httpd.conf -k start
user_u:system_r:initrc_t        apache    7159  0.0  0.0 152376  3784
?        S    16:55   0:00  \_ /usr/sbin/apache2 -D DEFAULT_VHOST -D INFO -D
LANGUAGE -D PHP5 -d /usr/lib64/apache2 -f /etc/apache2/httpd.conf -k start


The other services on the box start up in their proper context just fine,
for example:
# ps fauxZ | grep mysqld
system_u:system_r:mysqld_t      mysql     4100  0.0  0.0 214892 30996
?        Ssl  16:51   0:00 /usr/sbin/mysqld
--defaults-file=/etc/mysql/my.cnf --basedir=/usr --datadir=/var/lib/mysql
--pid-file=/var/run/mysqld/mysqld.pid --socket=/var/run/mysqld/mysqld.sock


I have the selinux-apache policy installed

# semodule -l | grep apache
apache  1.9.1

I'm sure its something stupid that I'm missing, but any suggestions? Thanks


Jeff Rooney
jtrooney@nexdlevel.com

[-- Attachment #2: Type: text/html, Size: 2709 bytes --]

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [gentoo-hardened] apache2 selinux
  2009-03-19 22:02 [gentoo-hardened] apache2 selinux Jeff Rooney
@ 2009-03-20 13:05 ` Chris PeBenito
  2009-03-20 15:28   ` Jeff Rooney
  0 siblings, 1 reply; 3+ messages in thread
From: Chris PeBenito @ 2009-03-20 13:05 UTC (permalink / raw
  To: gentoo-hardened

[-- Attachment #1: Type: text/plain, Size: 1032 bytes --]

On Thu, 2009-03-19 at 17:02 -0500, Jeff Rooney wrote:
> I just installed a fresh copy of the gentoo and figured I'd give selinux a shot and think that I have hammered out most of my issues, but have a quick question. I have selinux running in targeted/enforcing mode but for some reason apache is staying in the wrong context:
> 
> # ps fauxZ | grep apache2
> unconfined_u:unconfined_r:unconfined_t root 7167 0.0  0.0  3836   572 pts/0    S+   16:59   0:00          \_ grep --colour=auto apache2
> user_u:system_r:initrc_t        root      7153  0.0  0.0 152376  5912 ?        Ss   16:55   0:00 /usr/sbin/apache2 -D DEFAULT_VHOST -D INFO -D LANGUAGE -D PHP5 -d /usr/lib64/apache2 -f /etc/apache2/httpd.conf -k start

Is /usr/sbin/apache2 httpd_exec_t?  If not then `rlpkg apache` and try
again.

-- 
Chris PeBenito
<pebenito@gentoo.org>
Developer,
Hardened Gentoo Linux
 
Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243
Key fingerprint = B0E6 877A 883F A57A 8E6A  CB00 BC8E E42D E6AF 9243

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [gentoo-hardened] apache2 selinux
  2009-03-20 13:05 ` Chris PeBenito
@ 2009-03-20 15:28   ` Jeff Rooney
  0 siblings, 0 replies; 3+ messages in thread
From: Jeff Rooney @ 2009-03-20 15:28 UTC (permalink / raw
  To: gentoo-hardened

[-- Attachment #1: Type: text/plain, Size: 2486 bytes --]

After relabeling the apache2 binary it starts in the proper context, but if
i set the policy to enforcing run_init is giving me a Permission denied
error:

hardened ~ # sestatus
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 23
Policy from config file:        targeted
hardened ~ # run_init /etc/init.d/apache2 start
Authenticating root.
Password:
execvp: Permission denied
hardened ~ # ls -Z /usr/sbin/run_init
system_u:object_r:run_init_exec_t /usr/sbin/run_init


I found the transition was getting denied in the audit log:

type=AVC msg=audit(1237544556.377:61): avc:  denied  { transition } for
pid=5172 comm="run_init" path="/usr/sbin/open_init_pty" dev=sda7
ino=14812333 scontext=unconfined_u:unconfined_r:unconfined_t
tcontext=user_u:system_r:initrc_t tclass=process

After running that thru audit2allow and loading the module its still getting
denied. The policy is pretty straight forward:
module runinit 1.0;

require {
        class process transition;
        type initrc_t;
        type unconfined_t;
        role unconfined_r;
};

allow unconfined_t initrc_t:process transition;

Again I'm sure its something stupid but I'm not sure whats going on.

Jeff Rooney
jtrooney@nexdlevel.com


On Fri, Mar 20, 2009 at 8:05 AM, Chris PeBenito <pebenito@gentoo.org> wrote:

> On Thu, 2009-03-19 at 17:02 -0500, Jeff Rooney wrote:
> > I just installed a fresh copy of the gentoo and figured I'd give selinux
> a shot and think that I have hammered out most of my issues, but have a
> quick question. I have selinux running in targeted/enforcing mode but for
> some reason apache is staying in the wrong context:
> >
> > # ps fauxZ | grep apache2
> > unconfined_u:unconfined_r:unconfined_t root 7167 0.0  0.0  3836   572
> pts/0    S+   16:59   0:00          \_ grep --colour=auto apache2
> > user_u:system_r:initrc_t        root      7153  0.0  0.0 152376  5912 ?
>      Ss   16:55   0:00 /usr/sbin/apache2 -D DEFAULT_VHOST -D INFO -D
> LANGUAGE -D PHP5 -d /usr/lib64/apache2 -f /etc/apache2/httpd.conf -k start
>
> Is /usr/sbin/apache2 httpd_exec_t?  If not then `rlpkg apache` and try
> again.
>
> --
> Chris PeBenito
> <pebenito@gentoo.org>
> Developer,
> Hardened Gentoo Linux
>
> Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243
> Key fingerprint = B0E6 877A 883F A57A 8E6A  CB00 BC8E E42D E6AF 9243
>

[-- Attachment #2: Type: text/html, Size: 3362 bytes --]

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2009-03-20 15:28 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2009-03-19 22:02 [gentoo-hardened] apache2 selinux Jeff Rooney
2009-03-20 13:05 ` Chris PeBenito
2009-03-20 15:28   ` Jeff Rooney

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox