Bug 533622
| Summary: | [feature] Policy for lighttpd | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Justin Newman <eqisow> | ||||||||||
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | ||||||||||
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||||||
| Severity: | medium | Docs Contact: | |||||||||||
| Priority: | low | ||||||||||||
| Version: | 12 | CC: | dwalsh, eqisow, mgrepl | ||||||||||
| Target Milestone: | --- | Keywords: | FutureFeature | ||||||||||
| Target Release: | --- | ||||||||||||
| Hardware: | All | ||||||||||||
| OS: | Linux | ||||||||||||
| Whiteboard: | |||||||||||||
| Fixed In Version: | 3.6.32-46.fc12 | Doc Type: | Enhancement | ||||||||||
| Doc Text: | Story Points: | --- | |||||||||||
| Clone Of: | Environment: | ||||||||||||
| Last Closed: | 2009-11-24 07:48:16 UTC | Type: | --- | ||||||||||
| Regression: | --- | Mount Type: | --- | ||||||||||
| Documentation: | --- | CRM: | |||||||||||
| Verified Versions: | Category: | --- | |||||||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||||||
| Embargoed: | |||||||||||||
| Attachments: |
|
||||||||||||
Miroslav can you look at this? Do we need policy for this or should it have the same policy as httpd? Ok, I am going to look at it. For now I don't see any reason why lighttpd should have own policy type. I am going to test it with the httpd policy. Created attachment 368406 [details]
httpd labeling for lighttpd
Justin,
could you please test a policy (what I attached) for lighttpd if it works also for you. Basically I added only labeling for lighttpd directories/files.
First you should stop your lighttpd deamon, remove your lighttpd policy
semodule -r lighttpd
and then run myhttpd.sh script that is part of attachment. Finally start lighttpd daemon.
Thanks
Created attachment 368453 [details]
selinux errors
Seems pretty good, except for a few things. No access to ssl certs by default:
service lighttpd start
Starting lighttpd: 2009-11-10 12:40:01: (network.c.373) SSL: Private key does not match the certificate public key, reason: error:0200100D:system library:fopen:Permission denied /etc/lighttpd/ssl/eqisow.org/server.pem
Changing the ssl directory to httpd_config_t recursively corrected this.
No access to /var/www/lighttpd by default. Changing to httpd_sys_content_t corrected this.
No access to /var/cache/lighttpd by default. Could be problematic because the folder doesn't exist and (I think) lighttpd doesn't create it. I don't know enough to say how to handle that. It is the default cache location in Fedora's config though. Context of "system_u:object_r:var_t" resolves the issue.
/mnt/storage/Music denied to php-cgi. I understand this is a non-default folder and would need to be labeled manually, but am confused because it is labeled public_content_t, but the troubleshooter suggests allowing lighttpd access to home directories to resolve the issue, which I don't want to do and doesn't seem appropriate.
So far that seems to be it. Attached some error reports as well as a ls of the contexts.
(In reply to comment #5) Really thanks for your quick response and test. > Seems pretty good, except for a few things. No access to ssl certs by default: > > service lighttpd start > Starting lighttpd: 2009-11-10 12:40:01: (network.c.373) SSL: Private key does > not match the certificate public key, reason: error:0200100D:system > library:fopen:Permission denied /etc/lighttpd/ssl/eqisow.org/server.pem > > Changing the ssl directory to httpd_config_t recursively corrected this. > > No access to /var/www/lighttpd by default. Changing to httpd_sys_content_t > corrected this. These two are a part of myhttpd policy (look to myhttpd.fc) so probably something was wrong during restorecon # matchpathcon /var/www/lighttpd /var/www/lighttpd system_u:object_r:httpd_sys_content_t:s0 # matchpathcon /etc/lighttpd/ssl/eqisow.org/server.pem /etc/lighttpd/ssl/eqisow.org/server.pem system_u:object_r:httpd_config_t:s0 > No access to /var/cache/lighttpd by default. Could be problematic because the > folder doesn't exist and (I think) lighttpd doesn't create it. I don't know > enough to say how to handle that. It is the default cache location in Fedora's > config though. Context of "system_u:object_r:var_t" resolves the issue. /var/cache/lighttpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) Need to be added. Created attachment 368470 [details]
myhttpd2
Confirmed that the first two are in the policy. I think restorecon failed because /usr/lib/lighttpd didn't exist, so the script exited after that line (64 bit system here). I should have paid more attention to the script output. Anyway, I removed the module and built/installed it again, this time with /var/cache/lighttpd added and lib changed to lib64. Interestingly, not having lib64 in the right context didn't seem to cause any issues. Should it have?
Re-attached myhttpd with changes.
Fixed in selinux-policy-3.6.32-44.fc12.noarch Question: When selinux-policy-3.6.32-44 gets pushed, should I remove myhttpd before updating or does it matter? Yes although it should not matter. As long as they don't conflict. Got it. Thanks for getting this taken care of so fast Daniel. All the effort put into selinux is a big part of the reason I stick with Fedora. :) selinux-policy-3.6.32-46.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-46.fc12 selinux-policy-3.6.32-46.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2009-11672 selinux-policy-3.6.32-46.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report. |
Created attachment 367976 [details] very bad selinux policy Description of problem: lighttpd currently has no selinux confinement policy Additional info: As lighttpd is a network facing service that has reached significant popularity, it should probably have a selinux policy created for it. I've created one myself, but I'm sure it's not sufficient as there are still errors. Still, I've attached it on the off chance that it may be useful.