Project

General

Profile

Support #7369

Installer fails to support Linux with SELinux enabled

Added by Torkil Zachariassen about 4 years ago. Updated over 3 years ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
Installation / Migration
Target version:
Start date:
04/11/2014
Due date:
% Done:

0%

Estimated time:
Complexity:
Normal
SCRUM pts - complexity:
?

Description

The installer fails to report correctly why directories with perms 0777 are not writable by the web server when installing on Linux with SELinux enabled.

For reference, here is a manual solution and a tip that might be integrated into the installer, assuming chamilo is installed in /var/www/chamilo-1.9.8.2. This was developed/tested on a CentOS 7 server (minimal installation)

#!/bin/sh -ex
# FIX SELinux in Chamilo during installation
function fixselinux {
  chcon --user system_u --role object_r --type httpd_sys_rw_content_t $1
  semanage fcontext --add               --type httpd_sys_rw_content_t $1
  restorecon -Rv $1
  ls -dZ $1
}
fixselinux /var/www/chamilo-1.9.8.2/main/inc/conf
fixselinux /var/www/chamilo-1.9.8.2/main/upload/users
fixselinux /var/www/chamilo-1.9.8.2/main/default_course_document/images
fixselinux /var/www/chamilo-1.9.8.2/archive
fixselinux /var/www/chamilo-1.9.8.2/courses
fixselinux /var/www/chamilo-1.9.8.2/home
fixselinux /var/www/chamilo-1.9.8.2/main/css   # Might have issues
#fixselinux /var/www/chamilo-1.9.8.2/main/lang # Not recommended due to world writable php files.

The result of the above can be displayed using semanage

# semanage fcontext --list|grep ^/var/www/chamilo

/var/www/chamilo-1.9.8.2/archive                   all files          system_u:object_r:httpd_sys_rw_content_t:s0 
/var/www/chamilo-1.9.8.2/courses                   all files          system_u:object_r:httpd_sys_rw_content_t:s0 
/var/www/chamilo-1.9.8.2/home                      all files          system_u:object_r:httpd_sys_rw_content_t:s0 
/var/www/chamilo-1.9.8.2/main/css                  all files          system_u:object_r:httpd_sys_rw_content_t:s0 
/var/www/chamilo-1.9.8.2/main/default_course_document/images 
                                                   all files          system_u:object_r:httpd_sys_rw_content_t:s0 
/var/www/chamilo-1.9.8.2/main/inc/conf             all files          system_u:object_r:httpd_sys_rw_content_t:s0 
/var/www/chamilo-1.9.8.2/main/lang                 all files          system_u:object_r:httpd_sys_rw_content_t:s0 
/var/www/chamilo-1.9.8.2/main/upload/users         all files          system_u:object_r:httpd_sys_rw_content_t:s0 

Permissions and SELinux contexts of the directories in question turned out like this

# ls -Zd archive/ courses/ home/ main/css main/default_course_document/images/ main/inc/conf main/lang main/upload/users

drwxrwxrwx. root root system_u:object_r:httpd_sys_rw_content_t:s0 archive/
drwxrwxrwx. root root system_u:object_r:httpd_sys_rw_content_t:s0 courses/
drwxrwxrwx. root root system_u:object_r:httpd_sys_rw_content_t:s0 home/
drwxrwxrwx. root root system_u:object_r:httpd_sys_rw_content_t:s0 main/css
drwxrwxrwx. root root system_u:object_r:httpd_sys_rw_content_t:s0 main/default_course_document/images/
dr-xr-xr-x. root root system_u:object_r:httpd_sys_rw_content_t:s0 main/inc/conf
drwxrwxrwx. root root system_u:object_r:httpd_sys_rw_content_t:s0 main/lang
drwxrwxrwx. root root system_u:object_r:httpd_sys_rw_content_t:s0 main/upload/users

The main/inc/conf was chmod 0555 by hand after installation.

The installer installed created the directories above '0777 root.root' (quite permissive)
New files are created '644 apache.apache' (0640 might do)
New directories are created '755 apache.apache' (0750 might do)

The writable directories are somewhat dispersed across the tree ...


On network connection to the database when SELinux is enabled

If the database server is located on another machine, then the web server has to be SELinux allowed networking to databases like this:

# setsebool -P httpd_can_network_connect_db 1

The log will say:
setsebool: The httpd_can_network_connect_db policy boolean was changed to 1 by root


Having 0777 on main/lang/ might be a separate security issue.

In the hope this might be useful to someone at some time, please pardon the length of this message.

---
...torkil...

History

#1

Updated by Yannick Warnier about 4 years ago

  • Category set to Installation / Migration
  • Target version set to 1.10.0
#2

Updated by Yannick Warnier about 4 years ago

The writable directories are somewhat dispersed across the tree ...

Yes, we are working on this for the next major version of Chamilo (one single writeable directory).

For the rest, I have set this task for inclusion in 1.9.12, which should hopefully get out around February 2015 (we are just finishing the beta release of 1.9.10). Technically, I don't like system-specific procedures, but SELinux is pretty common and we'll try to include this somehow, be it mostly to thank you for your efforts ;-)

#3

Updated by Yannick Warnier almost 4 years ago

  • Tracker changed from Bug to Support
  • Target version changed from 1.10.0 to 2.0

I'm moving this to support of 2.0. It is a specific case we haven't faced until now. We won't be able to work on this for 1.10.0, but thank you for reporting.
Directories structure will change in both 1.10.0 and 2.0 (reduction of directories requiring permissions changes), so this might slowly become obsolete.

#4

Updated by Yannick Warnier over 3 years ago

Hi Torkil,

We made efforts in 1.10.0 (to be released as beta in June) to reduce the number of writeable directories to 3. Hopefully, this will already help a little.
Regarding the SELinux-specific permissions, are these commands something that we can launch as the webserver? I doubt it as they seem to require permissions that are out of the scope of www-data/httpd user, but in your case permissions show as user "root", which probably means you unzipped them as root or changed their permissions to root at some point. I would be interested in knowing your complete procedure here.

Also, I suppose you have to have access to the command line to launch your script there. What do you do if you are on a CPanel with SELinux (or is that an impossible combination)?

Also available in: Atom PDF