Selinux Not allowing webpages to be served

Support for security such as Firewalls and securing linux
atrumblood
Posts: 39
Joined: 2010/04/11 17:49:13

Selinux Not allowing webpages to be served

Post by atrumblood » 2013/06/04 22:06:55

So rather than disable Selinux and admit defeat I am trying to configure selinux to allow httpd to serve webpages.

The issue I am having is that anypage I request from my server is giving me a forbidden error. I confirmed that it is Selinux blocking access because when I set selinux to permissive all webpages work.

Something confusing. The default document root is getting blocked too. "/var/www/html".

The context of the folder looks right.

[code]drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 html[/code]

I am not seeing any errors in audit.log or messages that pertain to Selinux, and the error log for httpd just shows the 403 error..


Some system information.

uname -a
Linux example.com 2.6.32-358.el6.x86_64 #1 SMP Fri Feb 22 00:31:26 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux

cat /etc/redhat-release
CentOS release 6.4 (Final)

User avatar
TrevorH
Forum Moderator
Posts: 29407
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Selinux Not allowing webpages to be served

Post by TrevorH » 2013/06/04 22:09:58

How do you start the httpd service?

atrumblood
Posts: 39
Joined: 2010/04/11 17:49:13

Re: Selinux Not allowing webpages to be served

Post by atrumblood » 2013/06/04 22:14:20

service httpd start

User avatar
TrevorH
Forum Moderator
Posts: 29407
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Selinux Not allowing webpages to be served

Post by TrevorH » 2013/06/04 22:35:17

You should have messages logged for the denials. Can you run `aureport -a` and look at the last few lines. On the end of each line there will be a number. Take that number and use it in `ausearch -a nnnn` and post ones that are about denials. You'll only need to post a few, maybe 3 or 4.

atrumblood
Posts: 39
Joined: 2010/04/11 17:49:13

Re: Selinux Not allowing webpages to be served

Post by atrumblood » 2013/06/04 22:59:32

Here are the last 4 entries.


63. 08/19/2008 06:41:26 httpd unconfined_u:system_r:httpd_t:s0 4 dir search unconfined_u:object_r:user_home_dir_t:s0 denied 1557

64. 08/19/2008 06:41:26 httpd unconfined_u:system_r:httpd_t:s0 6 dir getattr unconfined_u:object_r:user_home_dir_t:s0 denied 1558

65. 08/19/2008 06:41:26 httpd unconfined_u:system_r:httpd_t:s0 4 dir search unconfined_u:object_r:user_home_dir_t:s0 denied 1559

66. 08/19/2008 06:41:26 httpd unconfined_u:system_r:httpd_t:s0 6 dir getattr unconfined_u:object_r:user_home_dir_t:s0 denied 1560



[code]# ausearch -a 1557 ---- time->Wed Jul 23 18:20:01 2008 type=LOGIN msg=audit(1216812001.766:1557): pid=1547
uid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 old auid=4294967295 new auid=0 old ses=4294967295 new
ses=236 ---- time->Fri Aug 8 23:52:20 2008 type=CRYPTO_KEY_USER msg=audit(1218214340.881:1557): user pid=8785
uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server
fp=aa:9c:a4:46:64:71:d9:5a:26:4a:ba:36:fd:16:30:27 direction=? spid=8785 suid=0 exe="/usr/sbin/sshd" hostname=?
addr=211.157.167.70 terminal=? res=success' ---- time->Tue Aug 19 06:41:26 2008 type=SYSCALL
msg=audit(1219102886.589:1557): arch=c000003e syscall=4 success=no exit=-13 a0=7f26ba422008 a1=7ffff1984020
a2=7ffff1984020 a3=0 items=0 ppid=31731 pid=31735 auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48
sgid=48 fsgid=48 tty=(none) ses=1 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=
(null) type=AVC msg=audit(1219102886.589:1557): avc: denied { search } for pid=31735 comm="httpd" name="cdorris"
dev=dm-2 ino=655361 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0
tclass=dir[/code]


[code]# ausearch -a 1558 ---- time->Wed Jul 23 18:20:01 2008 type=USER_START msg=audit(1216812001.769:1558):
user pid=1547 uid=0 auid=0 ses=236 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_open
acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' ---- time->Fri Aug 8 23:52:20 2008
type=CRYPTO_KEY_USER msg=audit(1218214340.881:1558): user pid=8785 uid=0 auid=4294967295 ses=4294967295
subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server
fp=27:29:df:a6:b9:ee:5e:ae:1f:0e:6f:df:d8:43:67:7c direction=? spid=8785 suid=0 exe="/usr/sbin/sshd" hostname=?
addr=211.157.167.70 terminal=? res=success' ---- time->Tue Aug 19 06:41:26 2008 type=SYSCALL
msg=audit(1219102886.589:1558): arch=c000003e syscall=6 success=no exit=-13 a0=7f26ba4220f8 a1=7ffff1984020
a2=7ffff1984020 a3=1 items=0 ppid=31731 pid=31735 auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48
sgid=48 fsgid=48 tty=(none) ses=1 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=
(null) type=AVC msg=audit(1219102886.589:1558): avc: denied { getattr } for pid=31735 comm="httpd"
path="/home/cdorris" dev=dm-2 ino=655361 scontext=unconfined_u:system_r:httpd_t:s0
tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir[/code]



[code]# ausearch -a 1559 ---- time->Wed Jul 23 18:20:01 2008 type=CRED_DISP msg=audit(1216812001.785:1559): user
pid=1547 uid=0 auid=0 ses=236 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct="root"
exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' ---- time->Fri Aug 8 23:52:21 2008
type=CRYPTO_SESSION msg=audit(1218214341.221:1559): user pid=8784 uid=0 auid=4294967295 ses=4294967295
subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=start direction=from-client cipher=aes128-cbc ksize=128
spid=8785 suid=74 rport=33577 laddr=10.0.0.3 lport=22 exe="/usr/sbin/sshd" hostname=? addr=211.157.167.70
terminal=? res=success' ---- time->Tue Aug 19 06:41:26 2008 type=SYSCALL msg=audit(1219102886.750:1559):
arch=c000003e syscall=4 success=no exit=-13 a0=7f26ba421fb0 a1=7ffff1984020 a2=7ffff1984020 a3=0 items=0
ppid=31731 pid=31737 auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=1
comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null) type=AVC
msg=audit(1219102886.750:1559): avc: denied { search } for pid=31737 comm="httpd" name="cdorris" dev=dm-2
ino=655361 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0
tclass=dir[/code]


[code]# ausearch -a 1560 ---- time->Wed Jul 23 18:20:01 2008 type=USER_END msg=audit(1216812001.785:1560): user
pid=1547 uid=0 auid=0 ses=236 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_close
acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' ---- time->Fri Aug 8 23:52:21 2008
type=CRYPTO_SESSION msg=audit(1218214341.221:1560): user pid=8784 uid=0 auid=4294967295 ses=4294967295
subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=start direction=from-server cipher=aes128-cbc ksize=128
spid=8785 suid=74 rport=33577 laddr=10.0.0.3 lport=22 exe="/usr/sbin/sshd" hostname=? addr=211.157.167.70
terminal=? res=success' ---- time->Tue Aug 19 06:41:26 2008 type=SYSCALL msg=audit(1219102886.750:1560):
arch=c000003e syscall=6 success=no exit=-13 a0=7f26ba4220a8 a1=7ffff1984020 a2=7ffff1984020 a3=1 items=0
ppid=31731 pid=31737 auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=1
comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null) type=AVC
msg=audit(1219102886.750:1560): avc: denied { getattr } for pid=31737 comm="httpd" path="/home/cdorris" dev=dm-2
ino=655361 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0
tclass=dir[/code]

User avatar
TrevorH
Forum Moderator
Posts: 29407
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Selinux Not allowing webpages to be served

Post by TrevorH » 2013/06/05 00:56:01

That would appear to be trying to access your home directory, not /var/www/html

atrumblood
Posts: 39
Joined: 2010/04/11 17:49:13

Re: Selinux Not allowing webpages to be served

Post by atrumblood » 2013/06/05 01:13:09

Hmmm odd. Let me review the httpd config and get back to you.

atrumblood
Posts: 39
Joined: 2010/04/11 17:49:13

Re: Selinux Not allowing webpages to be served

Post by atrumblood » 2013/06/05 01:26:07

Well, I am very confused. My httpd.conf file looks fine.
Default document root is set to "/var/www/html/".

My virtualhost is set as /home/cdorris/www/curtisdorris.com.

Everything under /var/www is labeled as :httpd_sys_content_t

just accessing the ip address shouldn't be touching the virtual host directory.

Any ideas?

User avatar
TrevorH
Forum Moderator
Posts: 29407
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Selinux Not allowing webpages to be served

Post by TrevorH » 2013/06/05 08:27:52

By the looks of it, your virtualhost is the default web site and it's trying to access /home/curtis and failing. It's generally not recommended to use user home directories to serve http content so you might want to move your virtual host docroot to under /var/www where it will be labeled correctly if you run e.g. `restorecon -r /var/www/curtisdorris.com`

atrumblood
Posts: 39
Joined: 2010/04/11 17:49:13

Re: Selinux Not allowing webpages to be served

Post by atrumblood » 2013/06/05 22:07:32

Ok thanks I will try that as soon as I get home.

If I wanted to still use the users home directories as the www root for virtualhosts couldn't I just change the context of that directory to match the /var/www directory ?

Post Reply

Return to “CentOS 6 - Security Support”