Support #7369
Installer fails to support Linux with SELinux enabled
0%
Description
The installer fails to report correctly why directories with perms 0777 are not writable by the web server when installing on Linux with SELinux enabled.
For reference, here is a manual solution and a tip that might be integrated into the installer, assuming chamilo is installed in /var/www/chamilo-1.9.8.2. This was developed/tested on a CentOS 7 server (minimal installation)
#!/bin/sh -ex
# FIX SELinux in Chamilo during installation
function fixselinux {
chcon --user system_u --role object_r --type httpd_sys_rw_content_t $1
semanage fcontext --add --type httpd_sys_rw_content_t $1
restorecon -Rv $1
ls -dZ $1
}
fixselinux /var/www/chamilo-1.9.8.2/main/inc/conf
fixselinux /var/www/chamilo-1.9.8.2/main/upload/users
fixselinux /var/www/chamilo-1.9.8.2/main/default_course_document/images
fixselinux /var/www/chamilo-1.9.8.2/archive
fixselinux /var/www/chamilo-1.9.8.2/courses
fixselinux /var/www/chamilo-1.9.8.2/home
fixselinux /var/www/chamilo-1.9.8.2/main/css # Might have issues
#fixselinux /var/www/chamilo-1.9.8.2/main/lang # Not recommended due to world writable php files.
The result of the above can be displayed using semanage
# semanage fcontext --list|grep ^/var/www/chamilo
/var/www/chamilo-1.9.8.2/archive all files system_u:object_r:httpd_sys_rw_content_t:s0
/var/www/chamilo-1.9.8.2/courses all files system_u:object_r:httpd_sys_rw_content_t:s0
/var/www/chamilo-1.9.8.2/home all files system_u:object_r:httpd_sys_rw_content_t:s0
/var/www/chamilo-1.9.8.2/main/css all files system_u:object_r:httpd_sys_rw_content_t:s0
/var/www/chamilo-1.9.8.2/main/default_course_document/images
all files system_u:object_r:httpd_sys_rw_content_t:s0
/var/www/chamilo-1.9.8.2/main/inc/conf all files system_u:object_r:httpd_sys_rw_content_t:s0
/var/www/chamilo-1.9.8.2/main/lang all files system_u:object_r:httpd_sys_rw_content_t:s0
/var/www/chamilo-1.9.8.2/main/upload/users all files system_u:object_r:httpd_sys_rw_content_t:s0
Permissions and SELinux contexts of the directories in question turned out like this
# ls -Zd archive/ courses/ home/ main/css main/default_course_document/images/ main/inc/conf main/lang main/upload/users drwxrwxrwx. root root system_u:object_r:httpd_sys_rw_content_t:s0 archive/ drwxrwxrwx. root root system_u:object_r:httpd_sys_rw_content_t:s0 courses/ drwxrwxrwx. root root system_u:object_r:httpd_sys_rw_content_t:s0 home/ drwxrwxrwx. root root system_u:object_r:httpd_sys_rw_content_t:s0 main/css drwxrwxrwx. root root system_u:object_r:httpd_sys_rw_content_t:s0 main/default_course_document/images/ dr-xr-xr-x. root root system_u:object_r:httpd_sys_rw_content_t:s0 main/inc/conf drwxrwxrwx. root root system_u:object_r:httpd_sys_rw_content_t:s0 main/lang drwxrwxrwx. root root system_u:object_r:httpd_sys_rw_content_t:s0 main/upload/users
The main/inc/conf was chmod 0555 by hand after installation.
The installer installed created the directories above '0777 root.root' (quite permissive)
New files are created '644 apache.apache' (0640 might do)
New directories are created '755 apache.apache' (0750 might do)
The writable directories are somewhat dispersed across the tree ...
On network connection to the database when SELinux is enabled
If the database server is located on another machine, then the web server has to be SELinux allowed networking to databases like this:
# setsebool -P httpd_can_network_connect_db 1
The log will say:
setsebool: The httpd_can_network_connect_db policy boolean was changed to 1 by root
Having 0777 on main/lang/ might be a separate security issue.
In the hope this might be useful to someone at some time, please pardon the length of this message.
---
...torkil...
History
Updated by Yannick Warnier over 4 years ago
Updated by - Category set to Installation / Migration
- Target version set to 1.10.0
Updated by Yannick Warnier over 4 years ago
The writable directories are somewhat dispersed across the tree ...
Yes, we are working on this for the next major version of Chamilo (one single writeable directory).
For the rest, I have set this task for inclusion in 1.9.12, which should hopefully get out around February 2015 (we are just finishing the beta release of 1.9.10). Technically, I don't like system-specific procedures, but SELinux is pretty common and we'll try to include this somehow, be it mostly to thank you for your efforts ;-)
Updated by Yannick Warnier about 4 years ago
- Tracker changed from Bug to Support
- Target version changed from 1.10.0 to 2.0
I'm moving this to support of 2.0. It is a specific case we haven't faced until now. We won't be able to work on this for 1.10.0, but thank you for reporting.
Directories structure will change in both 1.10.0 and 2.0 (reduction of directories requiring permissions changes), so this might slowly become obsolete.
Updated by Yannick Warnier about 4 years ago
Hi Torkil,
We made efforts in 1.10.0 (to be released as beta in June) to reduce the number of writeable directories to 3. Hopefully, this will already help a little.
Regarding the SELinux-specific permissions, are these commands something that we can launch as the webserver? I doubt it as they seem to require permissions that are out of the scope of www-data/httpd user, but in your case permissions show as user "root", which probably means you unzipped them as root or changed their permissions to root at some point. I would be interested in knowing your complete procedure here.
Also, I suppose you have to have access to the command line to launch your script there. What do you do if you are on a CPanel with SELinux (or is that an impossible combination)?