Monday, 3 November 2008

I'm back! Some notes on SELinux and Apache HTTPD

Finally! I took some time out, with a big road trip to America and various other activities going on, I'd not had the time to keep the blog going. Anyway, things are back to normal now and after a recent hard disk failure I unexpectedly found myself setting up a new secure web server using CentOS 5.2 x64 and Apache Httpd 2.2.3 and PHP5. Later I'll add in a Java EE application server for more dynamic/web app stuff.

Thought that I'd type up some small notes on a problem I'd come across before, when trying to setup Mercurial HG-WEB in directories (or sym links) to directories outside of the usual /var/www

One of the problems may come from SELinux. Whilst it's tempting to turn it off, for something facing the public on the web - this would be a real last resort!

Security Contexts: - a quick explanation

Files and directories have security contexts. These can be seen using ls, e.g.

ls -aZ

By default Apache Httpd cannot access all files, it can access those with httpd_sys_content_t context types.

For example user home directories come with the context home_root_t which will give a permission denied type error if httpd tries to serve up files from there (or anywhere below!). Another common security context is default_t which will be assigned as the default for new files and folders.

An important difference between mv and cp

cp creates a new context (inherits), wheras mv actually moves it (unmodified). So a common gotcha is to create files in the user home directory and mv them to /var/www/... but this keeps the home context home_root_t - hence this creates the permission denied error.

Some handy commands:

chcon -R -h -t httpd_sys_content_t /test/

change the directory /test/ to httpd_sys_content security context type, recursively but not following sym-links.

i.e. the above would enable /test/ to be served by a documentroot in Httpd

If SELinux is suspected for the permissions problems (as opposed to httpd configuration), the SELinux restrictions will appear in the message log:

tail -f /var/log/messages

SELinux boolean flags:

can be read with

getsebool httpd_enable_cgi

and set with

setsebool httpd_enable_cgi true

Invoke the simple GUI configurator with: system-config-securitylevel

Restore the file context
(say after an mv command):

restorecon -R -v ./folderwithwrongcontext/

Additional SE Linux parameters:

Enable Samba to access home dirs:

setsebool -P samba_enable_home_dirs=1

Additional Resources:

Good overview in this link:


Roel said...

w00t, thanks for helping me fix my SELinux problem :)

LouisB said...

You are entirely welcome :)

Michael said...

I have reverse proxied my Appache to Glassfish 2.1 on the same machine. My Appache is used solely for a Word Press blog where we post "articles". The main traffic though is to the java apps on the Glassfish side. I want to reverse the setup, using Glassfish to respond to port 80 requests and proxy a single folder off the Glassfish docroot /articles to the Appache server. Any thoughts?

Michael said...

Here is my set up.

ProxyRequests Off
ProxyPreserveHost On
AllowCONNECT 86 81 8186 554
Options +FollowSymLinks
ProxyPass /articles/ !
#ProxyPass /images/ !
#ProxyPass /nagios !
ProxyPass /server-info !
ProxyPass /server-status !
ProxyPass /
ProxyPassReverse /