Bug 533622 - [feature] Policy for lighttpd
Summary: [feature] Policy for lighttpd
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 12
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-11-07 22:43 UTC by Justin Newman
Modified: 2009-11-24 07:48 UTC (History)
3 users (show)

Fixed In Version: 3.6.32-46.fc12
Doc Type: Enhancement
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-11-24 07:48:16 UTC
Type: ---


Attachments (Terms of Use)
very bad selinux policy (292.72 KB, application/gzip)
2009-11-07 22:43 UTC, Justin Newman
no flags Details
httpd labeling for lighttpd (865 bytes, application/x-bzip)
2009-11-10 14:50 UTC, Miroslav Grepl
no flags Details
selinux errors (2.87 KB, application/x-gzip)
2009-11-10 18:26 UTC, Justin Newman
no flags Details
myhttpd2 (807 bytes, application/x-gzip)
2009-11-10 19:43 UTC, Justin Newman
no flags Details

Description Justin Newman 2009-11-07 22:43:03 UTC
Created attachment 367976 [details]
very bad selinux policy

Description of problem: lighttpd currently has no selinux confinement policy


Additional info: As lighttpd is a network facing service that has reached significant popularity, it should probably have a selinux policy created for it. I've created one myself, but I'm sure it's not sufficient as there are still errors. Still, I've attached it on the off chance that it may be useful.

Comment 1 Daniel Walsh 2009-11-09 13:43:43 UTC
Miroslav can you look at this?

Do we need policy for this or should it have the same policy as httpd?

Comment 2 Miroslav Grepl 2009-11-09 13:50:39 UTC
Ok, I am going to look at it.

Comment 3 Miroslav Grepl 2009-11-09 17:32:53 UTC
For now I don't see any reason why lighttpd should have own policy type. I am going to test it with the httpd policy.

Comment 4 Miroslav Grepl 2009-11-10 14:50:16 UTC
Created attachment 368406 [details]
httpd labeling for lighttpd

Justin,

could you please test a policy (what I attached) for lighttpd if it works also for you. Basically I added only labeling for lighttpd directories/files.

First you should stop your lighttpd deamon, remove your lighttpd policy

semodule -r lighttpd

and then run myhttpd.sh script that is part of attachment. Finally start lighttpd daemon.

Thanks

Comment 5 Justin Newman 2009-11-10 18:26:54 UTC
Created attachment 368453 [details]
selinux errors

Seems pretty good, except for a few things. No access to ssl certs by default:

service lighttpd start
Starting lighttpd: 2009-11-10 12:40:01: (network.c.373) SSL: Private key does not match the certificate public key, reason: error:0200100D:system library:fopen:Permission denied /etc/lighttpd/ssl/eqisow.org/server.pem

Changing the ssl directory to httpd_config_t recursively corrected this.

No access to /var/www/lighttpd by default. Changing to httpd_sys_content_t corrected this.

No access to /var/cache/lighttpd by default. Could be problematic because the folder doesn't exist and (I think) lighttpd doesn't create it. I don't know enough to say how to handle that. It is the default cache location in Fedora's config though. Context of "system_u:object_r:var_t" resolves the issue.

/mnt/storage/Music denied to php-cgi. I understand this is a non-default folder and would need to be labeled manually, but am confused because it is labeled public_content_t, but the troubleshooter suggests allowing lighttpd access to home directories to resolve the issue, which I don't want to do and doesn't seem appropriate.

So far that seems to be it. Attached some error reports as well as a ls of the contexts.

Comment 6 Miroslav Grepl 2009-11-10 19:06:37 UTC
(In reply to comment #5)

Really thanks for your quick response and test.

> Seems pretty good, except for a few things. No access to ssl certs by default:
> 
> service lighttpd start
> Starting lighttpd: 2009-11-10 12:40:01: (network.c.373) SSL: Private key does
> not match the certificate public key, reason: error:0200100D:system
> library:fopen:Permission denied /etc/lighttpd/ssl/eqisow.org/server.pem
>
> Changing the ssl directory to httpd_config_t recursively corrected this.
> 
> No access to /var/www/lighttpd by default. Changing to httpd_sys_content_t
> corrected this.

These two are a part of myhttpd policy (look to myhttpd.fc) so probably something was wrong during restorecon

# matchpathcon /var/www/lighttpd
/var/www/lighttpd	system_u:object_r:httpd_sys_content_t:s0

# matchpathcon /etc/lighttpd/ssl/eqisow.org/server.pem
/etc/lighttpd/ssl/eqisow.org/server.pem	system_u:object_r:httpd_config_t:s0
 
> No access to /var/cache/lighttpd by default. Could be problematic because the
> folder doesn't exist and (I think) lighttpd doesn't create it. I don't know
> enough to say how to handle that. It is the default cache location in Fedora's
> config though. Context of "system_u:object_r:var_t" resolves the issue.

/var/cache/lighttpd(/.*)?                    gen_context(system_u:object_r:httpd_cache_t,s0)

Need to be added.

Comment 7 Justin Newman 2009-11-10 19:43:21 UTC
Created attachment 368470 [details]
myhttpd2

Confirmed that the first two are in the policy. I think restorecon failed because /usr/lib/lighttpd didn't exist, so the script exited after that line (64 bit system here). I should have paid more attention to the script output. Anyway, I removed the module and built/installed it again, this time with /var/cache/lighttpd added and lib changed to lib64. Interestingly, not having lib64 in the right context didn't seem to cause any issues. Should it have?

Re-attached myhttpd with changes.

Comment 8 Daniel Walsh 2009-11-10 19:53:14 UTC
Fixed in selinux-policy-3.6.32-44.fc12.noarch

Comment 9 Justin Newman 2009-11-10 20:02:44 UTC
Question: When selinux-policy-3.6.32-44 gets pushed, should I remove myhttpd before updating or does it matter?

Comment 10 Daniel Walsh 2009-11-10 20:11:36 UTC
Yes although it should not matter.  As long as they don't conflict.

Comment 11 Justin Newman 2009-11-10 20:14:06 UTC
Got it. Thanks for getting this taken care of so fast Daniel. All the effort put into selinux is a big part of the reason I stick with Fedora. :)

Comment 12 Fedora Update System 2009-11-16 19:37:24 UTC
selinux-policy-3.6.32-46.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-46.fc12

Comment 13 Fedora Update System 2009-11-18 14:11:14 UTC
selinux-policy-3.6.32-46.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2009-11672

Comment 14 Fedora Update System 2009-11-24 07:46:11 UTC
selinux-policy-3.6.32-46.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.