macemoneta
2004-12-13, 09:37 AM CST
Gallery (http://gallery.menalto.com/) is a popular web-based photo album. Using it under SELinux requires that you properly have the file contexts set, as well as allowing some operations that are disallowed in the default targeted policy.
Here's the procedure:
1. Install the software: httpd, php, mysql, gallery, etc.
2. Install the source for the targeted policy:
yum -y install selinux-policy-targeted-sources
3. Reset the file contexts:
rpm -ql php | restorecon -R -v -f -
rpm -ql php-mysql | restorecon -R -v -f -
rpm -ql httpd | restorecon -R -v -f -
rpm -ql mysql-server | restorecon -R -v -f -
service mysql restart
service httpd restart
4. For any directories that contain web content that isn't in the /var/www/html subdirectory, assign the correct context:
chcon -R -t httpd_sys_content_t /some/directory/
5. Create a local policy:
vi /etc/selinux/targeted/src/policy/domains/misc/local.te
allow httpd_sys_script_t devlog_t:sock_file write;
allow httpd_sys_script_t devpts_t:chr_file { read write };
allow httpd_sys_script_t httpd_log_t:file write;
allow httpd_sys_script_t httpd_runtime_t:file write;
allow httpd_sys_script_t httpd_sys_content_t:dir { add_name read setattr write };
allow httpd_sys_script_t httpd_sys_content_t:file { create setattr write };
allow httpd_sys_script_t httpd_tmp_t:file { getattr read };
allow httpd_sys_script_t self:capability { dac_override dac_read_search };
allow httpd_sys_script_t self:unix_dgram_socket { connect create getattr write };
allow httpd_sys_script_t syslogd_t:unix_dgram_socket sendto;
allow httpd_sys_script_t tmp_t:lnk_file read;
allow httpd_sys_script_t var_spool_t:dir { add_name getattr read remove_name search write };
allow httpd_sys_script_t var_spool_t:file { create getattr lock write read unlink };
allow httpd_sys_script_t var_t:dir getattr;
allow httpd_t httpd_log_t:file unlink;
6. Reload the modified policy:
cd /etc/selinux/targeted/src/policy/
make reload
7. Run system-config-securitylevel, and in the SeLinux tab make sure:
a. Enforcing is enabled (checked)
b. Policy type: targeted
c. Under HTTPD Service:
i. If you need it, check "Allow HTTPD to read home directories"
ii. Uncheck Disable SELinux protection for httpd daemon
Here's the procedure:
1. Install the software: httpd, php, mysql, gallery, etc.
2. Install the source for the targeted policy:
yum -y install selinux-policy-targeted-sources
3. Reset the file contexts:
rpm -ql php | restorecon -R -v -f -
rpm -ql php-mysql | restorecon -R -v -f -
rpm -ql httpd | restorecon -R -v -f -
rpm -ql mysql-server | restorecon -R -v -f -
service mysql restart
service httpd restart
4. For any directories that contain web content that isn't in the /var/www/html subdirectory, assign the correct context:
chcon -R -t httpd_sys_content_t /some/directory/
5. Create a local policy:
vi /etc/selinux/targeted/src/policy/domains/misc/local.te
allow httpd_sys_script_t devlog_t:sock_file write;
allow httpd_sys_script_t devpts_t:chr_file { read write };
allow httpd_sys_script_t httpd_log_t:file write;
allow httpd_sys_script_t httpd_runtime_t:file write;
allow httpd_sys_script_t httpd_sys_content_t:dir { add_name read setattr write };
allow httpd_sys_script_t httpd_sys_content_t:file { create setattr write };
allow httpd_sys_script_t httpd_tmp_t:file { getattr read };
allow httpd_sys_script_t self:capability { dac_override dac_read_search };
allow httpd_sys_script_t self:unix_dgram_socket { connect create getattr write };
allow httpd_sys_script_t syslogd_t:unix_dgram_socket sendto;
allow httpd_sys_script_t tmp_t:lnk_file read;
allow httpd_sys_script_t var_spool_t:dir { add_name getattr read remove_name search write };
allow httpd_sys_script_t var_spool_t:file { create getattr lock write read unlink };
allow httpd_sys_script_t var_t:dir getattr;
allow httpd_t httpd_log_t:file unlink;
6. Reload the modified policy:
cd /etc/selinux/targeted/src/policy/
make reload
7. Run system-config-securitylevel, and in the SeLinux tab make sure:
a. Enforcing is enabled (checked)
b. Policy type: targeted
c. Under HTTPD Service:
i. If you need it, check "Allow HTTPD to read home directories"
ii. Uncheck Disable SELinux protection for httpd daemon