Security – How to disable SELinux for Apache httpd only on the Fedora 14

apache-2.2fedorahttpdSecurityselinux

By following this link I am able to just turn SELinux off completely from my Fedora 14.
But I wonder how could I disable SELinux only for the httpd daemon? I don't have system-config-selinux installed and due to company firewall policy I have got to search for the RPMs from pkgs.org in order to install any package. So is there a way to get this sorted out?

Edit:

Summary:

SELinux is preventing /opt/ibm/cognos/c10/cgi-bin/cognos.cgi "execute" access to
/opt/ibm/cognos/c10/cgi-bin/libIBJStreamsDLL.so.

Detailed Description:

SELinux denied access requested by /opt/ibm/cognos/c10/cgi-bin/cognos.cgi.
/opt/ibm/cognos/c10/cgi-bin/cognos.cgi is mislabeled.
/opt/ibm/cognos/c10/cgi-bin/cognos.cgi default SELinux type is bin_t, but its
current type is bin_t. Changing this file back to the default type, may fix your
problem.

If you believe this is a bug, please file a bug report against this package.

Allowing Access:

You can restore the default system context to this file by executing the
restorecon command. restorecon '/opt/ibm/cognos/c10/cgi-bin/cognos.cgi'.

Fix Command:

/sbin/restorecon '/opt/ibm/cognos/c10/cgi-bin/cognos.cgi'

Additional Information:

Source Context                unconfined_u:system_r:httpd_t:s0
Target Context                unconfined_u:object_r:usr_t:s0
Target Objects                /opt/ibm/cognos/c10/cgi-bin/libIBJStreamsDLL.so [
                              file ]
Source                        cognos.cgi
Source Path                   /opt/ibm/cognos/c10/cgi-bin/cognos.cgi
Port                          <Unknown>
Host                          mm2fedora.syd.cog
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.7-3.fc14
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   restore_source_context
Host Name                     mm2fedora.syd.cog
Platform                      Linux mm2fedora.syd.cog 2.6.35.6-45.fc14.i686 #1
                              SMP Mon Oct 18 23:56:17 UTC 2010 i686 i686
Alert Count                   18
First Seen                    Fri 15 Apr 2011 02:12:44 PM EST
Last Seen                     Fri 15 Apr 2011 02:33:11 PM EST
Local ID                      409e250f-049f-49c0-89f6-7155e4643868
Line Numbers                  

Raw Audit Messages            

node=mm2fedora.syd.cog type=AVC msg=audit(1302841991.999:22392): avc:  denied  { execute } for  pid=28242 comm="cognos.cgi" path="/opt/ibm/cognos/c10/cgi-bin/libIBJStreamsDLL.so" dev=dm-0 ino=138263 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:usr_t:s0 tclass=file

node=mm2fedora.syd.cog type=SYSCALL msg=audit(1302841991.999:22392): arch=40000003 syscall=192 success=no exit=-13 a0=0 a1=1bc08 a2=5 a3=802 items=0 ppid=27923 pid=28242 auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=1 comm="cognos.cgi" exe="/opt/ibm/cognos/c10/cgi-bin/cognos.cgi" subj=unconfined_u:system_r:httpd_t:s0 key=(null)

As advised I run the suggested fix command: /sbin/restorecon '/opt/ibm/cognos/c10/cgi-bin/cognos.cgi' many times but unfortunately. by disabling SELinux completely I can see this web app works. I am researching on this topic myself right now like how to enable SELinux globally while only disabling it for httpd. Must not be the best approach but since this is only a test case that would be just fine for me and my team.

The hint I got from Fedora 13's SELinux FAQ is here so I personally believe there is a way with system-config-selinux, I just don't know the details…

Best Answer

Converting my earlier comment into an answer, to popular demand ;)

From the you-learn-something-everyday department: I saw Dan Walsh give a presentation yesterday, in which he explained the new way of disabling confinement for applications in newer releases of Fedora and EL6. You no longer set a boolean to disable transition (which sometimes causes a cascade in booleans that need to be set for everything to work), but you put a certain type in permissive mode. You do this by running the 'semanage permissive -a TYPE' command (in your case 'semanage permissive -a httpd_t'). This leaves SELinux on for httpd_t, but in permissive mode. – wzzrd May 20 '11 at 8:45

Related Solutions

Redhat Apache fast-cgi selinux permissions

Running FastCGI your way leaves a big security hole: the PHP interpreter is run as user "httpd" (at least I can't see anything about suexec here).

We have a working setup with SELinux and PHP as FastCGI here at CentOS 6, but it was really tricky to get everything working.

A few tips for the start:

you don't need to reboot to disable/enable selinux - just use the command "setenforce 0" or "setenforce 1" :)
always try to get everything working with SELinux disabled, then enable it and have a look at audit.log

Here we go:

enable suexec
change SELinux type for php.fcgi to httpd_fastcgi_script_exec_t
your FastCGI starter (php.fcgi) should not be writable by the user owning it (otherwise he can tweak many settings and limits). Give it the "immutable" flag: chattr +i php.fcgi

suexec has some trouble with FastCGI, so we have to make it permissive:

yum install policycoreutils-python
semanage permissive -a httpd_suexec_t

Good luck!

Centos – Configure selinux to allow openldap on CentOS 6.4

If you filter the audit logs through audit2allow(1) and audit2why you'll get an approximate idea of what is happening:

#============= slapd_t ==============
allow slapd_t self:capability sys_nice;
allow slapd_t var_log_t:file { write read };
------------------------------------

    Was caused by:
            Missing type enforcement (TE) allow rule.

            You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1372888328.408:3263): avc:  denied  { sys_nice } for  pid=1492 comm=slapd capability=23  scontext=unconfined_u:system_r:slapd_t:s0 tcontext=unconfined_u:system_r:slapd_t:s0 tclass=capability

    Was caused by:
            Missing type enforcement (TE) allow rule.

            You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1372888328.424:3264): avc:  denied  { read } for  pid=1493 comm=slapd name=log.0000000001 dev=dm-0 ino=263969 scontext=unconfined_u:system_r:slapd_t:s0 tcontext=unconfined_u:object_r:var_log_t:s0 tclass=file

    Was caused by:
            Missing type enforcement (TE) allow rule.

            You can use audit2allow to generate a loadable module to allow this access.

Checking labeling

It is unlikely a label restore prevents you from starting a service if SELinux is in permissive mode. Also, why the -F switch?

To know if you have to restore the labeling of a directory or file, first find out what context a file or directory is supposed to have:

# matchpathcon /etc/openldap/
/etc/openldap   system_u:object_r:etc_t:s0

Then list its security context:

# ls -ldZ /etc/openldap/
drwxr-xr-x. root root system_u:object_r:etc_t:s0       /etc/openldap//

In this example, no further action is needed.

With regards to your issue, the problem is not labeling per se, but a missing type enforcement rule, i.e., a rule that allows a labeled process to transition from one confined domain to another, or to read files with an specific label, for example.

Creating an SELinux module

You can try to build a module that allows the slapd_t to perform the operations which appeared in the audit.log. It is probable that you need further adjustments in your code. Use audit2allow, and make for this task. All commands are very well documented in their respective manpages. The process will look roughly like this (after copying the relevant messages into audit.txt):

audit2allow -i audit.txt -m slapd -o slapd.te
make -f /usr/share/selinux/devel/Makefile load

Also, check if a bug report for the SELinux policy regarding this issue already exists.