HTTPD on FAT with SELinux
Section: Linux
SELinux is a great addition to a secure Linux install. Although Linux has very few viruses and almost no malware in the wild, there is still the potential for misbehaving applications. As such, and because this is my main desktop machine, I try to keep SELinux running. I also do web development for my websites on the machine and run a local web server, so both Apache and SELinux are running on the same machine/
The only problem that SELinux has is that it can be a bit too strict with some apps. Many errors it throws up don't stop programs working, but it is very picky about file contexts. Unfortunately, that is one of the things that can stop Apache serving files from a FAT partition.
The problem
With a standard configuration then Apache would load fine, but instead I run a separate partition. This partition ends up with a context of "dosfs_t" because it is a FAT partition, but SELinux only lets Apache server files from files and folders that have a "httpd_sys_content_t" context. When you try to start Apache with this configuration then a message along the following lines occurs:
SELinux is preventing httpd (httpd_t) "getattr" to /var/www/html (dosfs_t)Although Fedora 8 comes with an "SE Linux Troubleshooter", its advice is to relabel the file system with the correct context, but FAT file systems cannot store context data so this won't help. The result was that Apache just wouldn't start because it didn't think /var/www/html was a valid folder.
The make-shift solution
The simplest but most insecure and most effort. In involves starting the SELinux Manager every time you want to run the server and dropping back to "permissive" mode. This is similar to "Enforcing" in that it will still complain and log errors, but it won't actually stop the application doing what it is complaining about. The even more excessive option is to disable SELinux completely. All of this seemed a bit too much to get Apache to run properly, though.
The old solution
In Fedora 7 there was a policy (httpd_disable_trans) that you could enable that would completely stop SELinux from securing HTTPD. Unfortunately Fedora 8 doesn't include the same policy and so it can't just be enabled as an easy fix.
The real solution
Thanks to a post on FedoraForum.org I finally got a point in the right direction. The solution is to correctly label the partition when it is mounted. To do this you need to append an extra option into your "fstab" file. The option you require is:
,context=system_u:object_r:httpd_sys_content_t:s0This additional option should correctly label your partition as "httpd_sys_content_t" so that Apache can serve files from it and use it as /var/www/html. The same option should be applicable to any parition for any context.
The final functional line in my /etc/fstab file is now:
/dev/sda5 /var/www/html vfat defaults,uid=48,gid=100,fmask=113,dmask=002,context=system_u:object_r:httpd_sys_content_t:s0 0 0So my machine is additionally secured by running SELinux, I can run Apache without any context issues, Apache is still controlled by SELinux (unlike the old Fedora 7 method) and everything is running smoothly again.
Navigation
Site Navigation
Links
- Hive World Terra - articles, downloads, fanfiction and an encyclopedia for Games Workshop's games.
- Skins@HWT - Skins, textures, badges, banners and team colours for Dawn of War, plus tutorials, tools and an FAQ.
- WarFoundry, the cross-platform, multi-system, open-source army creator.