[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[EP-tech] CentOS / SELinux



Hi John,
So I think there is a happy medium but my experience is that people do
not like spending forever battling SELinux, so someone has not come up
with a comprehensive list. ?I can add in a few more options to allow
read/write for Bazaar plugin installation. ?I would suggest:
chcon -R -h -t httpd_sys_script_rw_t [eprintspath]/lib/
chcon -R -h -t httpd_sys_script_rw_t
[eprintspath/archives/[archivename]/bin/
chcon -R -h -t httpd_sys_script_rw_t
[eprintspath]/archives/[archivename]/cgi/
chcon -R -h -t httpd_sys_script_rw_t
[eprintspath/archives/[archivename]/cfg/
chcon -R -h -t httpd_sys_script_rw_t
[eprintspath/archives/[archivename]/html/
chcon -R -h -t httpd_sys_script_rw_t
[eprintspath/archives/[archivename]/var/
I am surprised archive level var and html are not already there, as I
have to reckon that Apache would certainly create a lot of files in the
latter and there are admin options that need to be able to update
timestamp files in the archive's var directory.
If you have meprints you would also need:
chcon -R -h -t httpd_sys_script_rw_t
[eprintspath/archives/[archivename]/meprints/
It may be easier to allow the whole archive directory but if you have
an ssl directory with a key in it, you certainly would not want to
leave open any way for Apache to be able to overwrite this. ?As the
Bazaar can install new bin and cgi script unfortunately you cannot lock
down these directories at an archive level. ?The cgi directory would be
slightly easier to exploit, as the bin directory would reply on a cron
job existing that runs the script or a command line user running it by
hand.
That all said, it is probably sensible to use semanage rather than
chcon, so that the rules persist, otherwise if restorecon is run all
these rules would be lost.
Regards
David Newman
On Thu, 2018-06-28 at 09:34 +0000, John Salter wrote:
> Hi All,
> There's just been an exchange on the eprints-uk-user-group mailing
> list, where someone was having issues getting EPrints up and running.
> The root cause was SELinux.
> ?
> On this page:
> http://wiki.eprints.org/w/Installing_EPrints_on_RHEL/Fedora/CentOS#Us
> ing_SELinux
> there is some advice - but it doesn't seem to cover any of the
> directories that things like the Bazaar would need access to (e.g.
> ~/lib/plugins/).
> It also doesn't include [eprintspath]/archives/[repoid]/html/ - which
> means summary-pages fail to be written when an http request causes
> them to be regenerated.
> ?
> This message (from 2015)
> http://threader.ecs.soton.ac.uk/lists/eprints_tech/21145.html
> suggests granting r/w permission for the whole eprints install
> directory (/usr/share/eprints/).
> ?
> Is this the most sensible option?
> Should e.g. ~/perl_lib, ~/bin, ~/cgi ?be more locked down?
> ?
> Cheers,
> John
> ?
> PS There is also this note:
> http://wiki.eprints.org/w/Troubleshooting#A_Note_on_SELinux - but
> that references EPrints2 - so probably a little outdated.
> *** Options: http://mailman.ecs.soton.ac.uk/mailman/listinfo/eprints-
> tech
> *** Archive: http://www.eprints.org/tech.php/
> *** EPrints community wiki: http://wiki.eprints.org/
> *** EPrints developers Forum: http://forum.eprints.org/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ecs.soton.ac.uk/pipermail/eprints-tech/attachments/20180628/ee640d04/attachment-0001.html