Created attachment 367976 [details]
very bad selinux policy
Description of problem: lighttpd currently has no selinux confinement policy
Additional info: As lighttpd is a network facing service that has reached significant popularity, it should probably have a selinux policy created for it. I've created one myself, but I'm sure it's not sufficient as there are still errors. Still, I've attached it on the off chance that it may be useful.
Miroslav can you look at this?
Do we need policy for this or should it have the same policy as httpd?
Ok, I am going to look at it.
For now I don't see any reason why lighttpd should have own policy type. I am going to test it with the httpd policy.
Created attachment 368406 [details]
httpd labeling for lighttpd
could you please test a policy (what I attached) for lighttpd if it works also for you. Basically I added only labeling for lighttpd directories/files.
First you should stop your lighttpd deamon, remove your lighttpd policy
semodule -r lighttpd
and then run myhttpd.sh script that is part of attachment. Finally start lighttpd daemon.
Created attachment 368453 [details]
Seems pretty good, except for a few things. No access to ssl certs by default:
service lighttpd start
Starting lighttpd: 2009-11-10 12:40:01: (network.c.373) SSL: Private key does not match the certificate public key, reason: error:0200100D:system library:fopen:Permission denied /etc/lighttpd/ssl/eqisow.org/server.pem
Changing the ssl directory to httpd_config_t recursively corrected this.
No access to /var/www/lighttpd by default. Changing to httpd_sys_content_t corrected this.
No access to /var/cache/lighttpd by default. Could be problematic because the folder doesn't exist and (I think) lighttpd doesn't create it. I don't know enough to say how to handle that. It is the default cache location in Fedora's config though. Context of "system_u:object_r:var_t" resolves the issue.
/mnt/storage/Music denied to php-cgi. I understand this is a non-default folder and would need to be labeled manually, but am confused because it is labeled public_content_t, but the troubleshooter suggests allowing lighttpd access to home directories to resolve the issue, which I don't want to do and doesn't seem appropriate.
So far that seems to be it. Attached some error reports as well as a ls of the contexts.
(In reply to comment #5)
Really thanks for your quick response and test.
> Seems pretty good, except for a few things. No access to ssl certs by default:
> service lighttpd start
> Starting lighttpd: 2009-11-10 12:40:01: (network.c.373) SSL: Private key does
> not match the certificate public key, reason: error:0200100D:system
> library:fopen:Permission denied /etc/lighttpd/ssl/eqisow.org/server.pem
> Changing the ssl directory to httpd_config_t recursively corrected this.
> No access to /var/www/lighttpd by default. Changing to httpd_sys_content_t
> corrected this.
These two are a part of myhttpd policy (look to myhttpd.fc) so probably something was wrong during restorecon
# matchpathcon /var/www/lighttpd
# matchpathcon /etc/lighttpd/ssl/eqisow.org/server.pem
> No access to /var/cache/lighttpd by default. Could be problematic because the
> folder doesn't exist and (I think) lighttpd doesn't create it. I don't know
> enough to say how to handle that. It is the default cache location in Fedora's
> config though. Context of "system_u:object_r:var_t" resolves the issue.
Need to be added.
Created attachment 368470 [details]
Confirmed that the first two are in the policy. I think restorecon failed because /usr/lib/lighttpd didn't exist, so the script exited after that line (64 bit system here). I should have paid more attention to the script output. Anyway, I removed the module and built/installed it again, this time with /var/cache/lighttpd added and lib changed to lib64. Interestingly, not having lib64 in the right context didn't seem to cause any issues. Should it have?
Re-attached myhttpd with changes.
Fixed in selinux-policy-3.6.32-44.fc12.noarch
Question: When selinux-policy-3.6.32-44 gets pushed, should I remove myhttpd before updating or does it matter?
Yes although it should not matter. As long as they don't conflict.
Got it. Thanks for getting this taken care of so fast Daniel. All the effort put into selinux is a big part of the reason I stick with Fedora. :)
selinux-policy-3.6.32-46.fc12 has been submitted as an update for Fedora 12.
selinux-policy-3.6.32-46.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2009-11672
selinux-policy-3.6.32-46.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.