Discussion:
Trying again: why am I getting denials in a directory that has been labeled..
mark
2018-07-11 15:01:50 UTC
Permalink
Date: Sat, 30 Jun 2018 11:22:43 +0200
As Lukas suggested, I tried to relabel the file. It didn't work, and
the reason is this: we have the web under our own root directory, not
under /var/www. We had done an semanage fcontext -e /var/www <ourpath>.
When I tried to relabel, it suggested I try to relabel using the
/var/www path, which won't work.
Is there any way around this?
/<ourpath>/htdocs/<website>/cgi-bin/data/<the probelematic file>
Could you attach complete outputs from semanage/ls (-Z)/ matchpathcon
commands? I would like to reproduce it to help you find issue.
Sorry I couldn't get back to this sooner.

semanage fcontext --modify -t httpd_sys_rw_content_t
/<actual>/<path>/htdocs/<website>/cgi-bin/Counter/data/image.dat
ValueError: File spec
/<actual>/<path>/htdocs/<website>/cgi-bin/Counter/data/image.dat conflicts
with equivalency rule '/<actual>/<path>/htdocs /var/www/html'; Try adding
'/var/www/html/<website>/cgi-bin/Counter/data/image.dat' instead

ll -Z:
-rw-rw-r--. apache imagej unconfined_u:object_r:httpd_sys_script_exec_t:s0
/<actual>/<path>/htdocs/<website>/cgi-bin/Counter/data/image.dat

matchpathcon:
/<actual>/<path>/htdocs/<website>/cgi-bin/Counter/data/image.dat system_u:object_r:httpd_sys_script_exec_t:s0

Amd pf course there's no <website> under /var/www/html/

mark
_______________________________________________
selinux mailing list -- ***@lists.fedoraproject.org
To unsubscribe send an email to selinux-***@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/***@lists.fedoraproject.org/message/SDCQW4
Gary Tierney
2018-07-11 17:06:45 UTC
Permalink
Post by mark
Date: Sat, 30 Jun 2018 11:22:43 +0200
As Lukas suggested, I tried to relabel the file. It didn't work, and
the reason is this: we have the web under our own root directory, not
under /var/www. We had done an semanage fcontext -e /var/www <ourpath>.
When I tried to relcabel, it suggested I try to relabel using the
/var/www path, which won't work.
No, it's telling you that you need to add the file context specification
under there, not relabel it.
Post by mark
Is there any way around this?
/<ourpath>/htdocs/<website>/cgi-bin/data/<the probelematic file>
Could you attach complete outputs from semanage/ls (-Z)/ matchpathcon
commands? I would like to reproduce it to help you find issue.
Sorry I couldn't get back to this sooner.
semanage fcontext --modify -t httpd_sys_rw_content_t
/<actual>/<path>/htdocs/<website>/cgi-bin/Counter/data/image.dat
ValueError: File spec
/<actual>/<path>/htdocs/<website>/cgi-bin/Counter/data/image.dat conflicts
with equivalency rule '/<actual>/<path>/htdocs /var/www/html'; Try adding
'/var/www/html/<website>/cgi-bin/Counter/data/image.dat' instead
-rw-rw-r--. apache imagej unconfined_u:object_r:httpd_sys_script_exec_t:s0
/<actual>/<path>/htdocs/<website>/cgi-bin/Counter/data/image.dat
You can't add a file context specification under /<actual>/<path>/htdocs
because it is an alias/equivalent to /var/www/html. Adding a rule
specifically for /<actual>/<path>/htdocs would result in ambiguity.

Based on the equivalence rules, it follows that
/<actual>/<path>/htdocs/<website>/cgi-bin/Counter/data/image.dat is
equivalent to /var/www/html/<website>/cg-bin/Counter/data/image.dat.

So if you wanted to create a file context specification for your aliased
path, you need to create iit using the path of the alias' target. E.g.,

$ semanage fcontext -a -t httpd_sys_rw_content_t
'/var/www/html/[^/]+/cgi-bin/Counter/data/image.dat'

Now `matchpathcon /<actual>/<path>/htdocs/<website>/{..snip..}` should
return a context with the correct type.
Post by mark
/<actual>/<path>/htdocs/<website>/cgi-bin/Counter/data/image.dat system_u:object_r:httpd_sys_script_exec_t:s0
Amd pf course there's no <website> under /var/www/html/
No, and there doesn't have to be. These semanage-fcontext inputs are
just regexps to match pathnames, not paths to files on the filesystem.
To the SELinux labeling system, your files _are_ under
/var/www/html/<website>.
Post by mark
mark
_______________________________________________
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
mark
2018-07-11 17:18:52 UTC
Permalink
Post by Gary Tierney
Post by mark
Date: Sat, 30 Jun 2018 11:22:43 +0200
As Lukas suggested, I tried to relabel the file. It didn't work,
and the reason is this: we have the web under our own root
directory, not under /var/www. We had done an semanage fcontext -e
/var/www <ourpath>.
When I tried to relcabel, it suggested I try to relabel using the
/var/www path, which won't work.
No, it's telling you that you need to add the file context specification
under there, not relabel it.
Ok, now we're to a level of selinux that I don't know.
Post by Gary Tierney
Post by mark
Is there any way around this?
<snip>
Post by Gary Tierney
You can't add a file context specification under /<actual>/<path>/htdocs
because it is an alias/equivalent to /var/www/html. Adding a rule
specifically for /<actual>/<path>/htdocs would result in ambiguity.
Based on the equivalence rules, it follows that
/<actual>/<path>/htdocs/<website>/cgi-bin/Counter/data/image.dat is
equivalent to /var/www/html/<website>/cg-bin/Counter/data/image.dat.
So if you wanted to create a file context specification for your aliased
path, you need to create iit using the path of the alias' target. E.g.,
$ semanage fcontext -a -t httpd_sys_rw_content_t
'/var/www/html/[^/]+/cgi-bin/Counter/data/image.dat'
Now `matchpathcon /<actual>/<path>/htdocs/<website>/{..snip..}` should
return a context with the correct type.
Post by mark
/<actual>/<path>/htdocs/<website>/cgi-bin/Counter/data/image.dat
system_u:object_r:httpd_sys_script_exec_t:s0
Amd pf course there's no <website> under /var/www/html/
No, and there doesn't have to be. These semanage-fcontext inputs are
just regexps to match pathnames, not paths to files on the filesystem. To
the SELinux labeling system, your files _are_ under
/var/www/html/<website>.
THANK YOU!

One of my goals at work is to reduce noise in /var/log/messages, so I can
see what actually matters, and this will shut up one more useless message,
so I can get back to seeing attempts to get in from Brazil, and China,
and....

The help was very much appreciated.

mark
_______________________________________________
selinux mailing list -- ***@lists.fedoraproject.org
To unsubscribe send an email to selinux-***@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/***@lists.fedoraproject.org/message/CZC
Loading...