Home / server / Questions / 259958
In Process
Michael Mao
Asked: 2011-04-15 21:13:34 +0800 CST

How to disable SELinux for Apache httpd only on my Fedora 14?

  • 772

By following this link I am able to just turn SELinux off completely from my Fedora 14. But I wonder how could I disable SELinux only for the httpd daemon? I don't have system-config-selinux installed and due to company firewall policy I have got to search for the RPMs from pkgs.org in order to install any package. So is there a way to get this sorted out?

Edit:

Summary:

SELinux is preventing /opt/ibm/cognos/c10/cgi-bin/cognos.cgi "execute" access to
/opt/ibm/cognos/c10/cgi-bin/libIBJStreamsDLL.so.

Detailed Description:

SELinux denied access requested by /opt/ibm/cognos/c10/cgi-bin/cognos.cgi.
/opt/ibm/cognos/c10/cgi-bin/cognos.cgi is mislabeled.
/opt/ibm/cognos/c10/cgi-bin/cognos.cgi default SELinux type is bin_t, but its
current type is bin_t. Changing this file back to the default type, may fix your
problem.

If you believe this is a bug, please file a bug report against this package.

Allowing Access:

You can restore the default system context to this file by executing the
restorecon command. restorecon '/opt/ibm/cognos/c10/cgi-bin/cognos.cgi'.

Fix Command:

/sbin/restorecon '/opt/ibm/cognos/c10/cgi-bin/cognos.cgi'

Additional Information:

Source Context                unconfined_u:system_r:httpd_t:s0
Target Context                unconfined_u:object_r:usr_t:s0
Target Objects                /opt/ibm/cognos/c10/cgi-bin/libIBJStreamsDLL.so [
                              file ]
Source                        cognos.cgi
Source Path                   /opt/ibm/cognos/c10/cgi-bin/cognos.cgi
Port                          <Unknown>
Host                          mm2fedora.syd.cog
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.7-3.fc14
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   restore_source_context
Host Name                     mm2fedora.syd.cog
Platform                      Linux mm2fedora.syd.cog 2.6.35.6-45.fc14.i686 #1
                              SMP Mon Oct 18 23:56:17 UTC 2010 i686 i686
Alert Count                   18
First Seen                    Fri 15 Apr 2011 02:12:44 PM EST
Last Seen                     Fri 15 Apr 2011 02:33:11 PM EST
Local ID                      409e250f-049f-49c0-89f6-7155e4643868
Line Numbers                  

Raw Audit Messages            

node=mm2fedora.syd.cog type=AVC msg=audit(1302841991.999:22392): avc:  denied  { execute } for  pid=28242 comm="cognos.cgi" path="/opt/ibm/cognos/c10/cgi-bin/libIBJStreamsDLL.so" dev=dm-0 ino=138263 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:usr_t:s0 tclass=file

node=mm2fedora.syd.cog type=SYSCALL msg=audit(1302841991.999:22392): arch=40000003 syscall=192 success=no exit=-13 a0=0 a1=1bc08 a2=5 a3=802 items=0 ppid=27923 pid=28242 auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=1 comm="cognos.cgi" exe="/opt/ibm/cognos/c10/cgi-bin/cognos.cgi" subj=unconfined_u:system_r:httpd_t:s0 key=(null)

As advised I run the suggested fix command: /sbin/restorecon '/opt/ibm/cognos/c10/cgi-bin/cognos.cgi' many times but unfortunately. by disabling SELinux completely I can see this web app works. I am researching on this topic myself right now like how to enable SELinux globally while only disabling it for httpd. Must not be the best approach but since this is only a test case that would be just fine for me and my team.

The hint I got from Fedora 13's SELinux FAQ is here so I personally believe there is a way with system-config-selinux, I just don't know the details...

apache-2.2 security fedora httpd selinux

6 Answers

  1. Converting my earlier comment into an answer, to popular demand ;)

    From the you-learn-something-everyday department: I saw Dan Walsh give a presentation yesterday, in which he explained the new way of disabling confinement for applications in newer releases of Fedora and EL6. You no longer set a boolean to disable transition (which sometimes causes a cascade in booleans that need to be set for everything to work), but you put a certain type in permissive mode. You do this by running the 'semanage permissive -a TYPE' command (in your case 'semanage permissive -a httpd_t'). This leaves SELinux on for httpd_t, but in permissive mode. – wzzrd May 20 '11 at 8:45

    • 4

  2. For Fedora 14, like in el6, I think you can just unload the http SELinux module, by running

    semodule -r httpd

    That'll probably make httpd run as initrc_t or unconfined_t.

    If that doesn't work for F14, you can turn off the SELinux boolean (the 'old' way, from el5), like this:

    setsebool httpd_disable_trans 1

    and use

    setsebool -P httpd_disable_trans 1

    to make it permanent

    • 3

  3. The qustion is not entirely clear - what exactly is your intent?
    I'll assume that you are not trying to open the HTTP port, as that would be done with the firewall instead of Selinux itself.
    So, perhaps you are looking to allow the httpd daemon to write to some directory that is not under the usual document root?
    If so, then you need to read up on the Selinux permissions and set them for the directories you want to access.
    Here is a place to read about it:
    http://wiki.centos.org/HowTos/SELinux

    It is relevant because both Fedora and Centos are related to Red Hat, so this will likely help.

    [Edit]
    Please try this:
    chcon -t textrel_shlib_t ThePathToTheFile

    That was suggested by PabloTwo in this post:
    http://www.fedoraforum.org/forum/showthread.php?t=252552

    It was also suggested by IBM in this post:
    https://www-304.ibm.com/support/docview.wss?uid=swg21454550

    • 1

  4. I'm not sure how you turn off SELinux for a single service - I suspect you can't.

    But what you can do is use runcon to set the apache process to run in an unconstrained context.

    You can sort of think of runcon as sudoers for selinux. It lets you specify what context to run a process in.

    You'd need to modify your apache startup script by adding something like:

    runcon unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

    Into the portion of the httpd startup script that actually invokes apache.

    On my Fedora FC14 host I would change this line:

    LANG=$HTTPD_LANG daemon --pidfile=${pidfile} $httpd $OPTIONS

    To read something like:

    LANG=$HTTPD_LANG daemon --pidfile=${pidfile} runcon unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 $httpd $OPTIONS

    PS I haven't actually tested this in my apache start up script, so the above isa guess as to exactly where I'd need to put it, but I have definitely used runcon to allow processes to run unconstrained before, so it will work, you just need to find the right place.

    • 1

  5. There is no boolean to globally disable SELinux for httpd. Having said that, you should read the httpd_selinux(8) man page for the relevant file contexts you should use; in your case you want httpd_sys_script_exec_t or httpd_unconfined_script_exec_t, and can use chcon to set it temporarily to test, and semanage to set it permanently.

    • 1

  6. I also had the same problem when I was using GBrowse2. GBrowse2 saves temporary files in non-webroot locations and sets locks on sessions outside the webroot. Since GBrowse2 runs on Apache, SELinux dint allow httpd to access/modify directories outside webroot. I followed the link provided in the previous post:

    " Here is a place to read about it: http://wiki.centos.org/HowTos/SELinux "

    Although it doesn't give the complete instructions on how solve the problem, it helped me a lot (Section 4: SELinux Access Control). It gave me an idea about how SELinux distinguishes between webroot and non-webroot files. You need to change the type of the non-webroot folder/file to the one which is compatible with the httpd process type. This type can be set using the commands given in the SELinux error details (semanage and restorecon commands). After fixing the type of non-webroot folder, the GBrowse2 could smoothly create new files in the non-webroot folder whose type was changed.

    • 1