selinux compatibility (rhel4)

[revolution]

hi,

anybody using plesk 7.5.4 on rhel4 with selinux left as targeted and enforcing? any problems? any additions/changes you have to offer for your selinux policies? i'd rather not just disable/permissive it as some have suggested around the forums unless there was absolutely no way around it. (that is, if i didn't have time to figure out what policies to change.)

i just tried an install of 7.5.4 on a fresh centos 4.2 (admittedly not rhel 4.0 which the plesk rpms were for) and noticed this message during the rpm install of plesk:

"Security-Enhanced Linux is activated with a custom policy, and no Plesk specific rules were found. This may cause problems in Plesk functioning."

but so far with my playing around with plesk things seem okay. i think the only selinux-related entries i see in /var/log/messages are things that started out that way having to do with audit.

anyone care to share their experiences? tia.

 

[thewolf]

Hi,

Did you run into any problem with Plesk and SELinux enabled?

Thanks.

 

[revolution]

i won't be trying rhel4 w/ selinux on a live installation for another few days to a few weeks, probably. but, in my searching before for other people who had tried i had found this:

http://radcom.ir/weblog/Hamid/archive/2005/11/07/10866.aspx

the author of that blog suggest the following policy changes:

# setsebool -P named_write_master_zones=1
# setsebool -P named_disable_trans=1
# setsebool -P httpd_disable_trans=1
# setsebool -P mysqld_disable_trans=1

at this point i don't know enough about selinux to say how much one loses with regards to selinux enforcing of named, apache and mysql with those. i would guess the answer is a lot. i was hoping plesk would come out with 7.5.5 for linux very soon with some policies of their own so we can see what the customer complaints to them resulted in. the author of that blog also said this:

Unfortunately Installer of current version of Plesk doesn't set selinux booleans correctly. This issue is fixed for the next version of Plesk which is targeted for release on the December 2005.

 

[revolution]

so it turns out i got to setup a live server with rhel4 last night. it was at ev1 and i noticed on their rhel4 image they turn off selinux altogether in /etc/selinux/config --- the probably would lose so much money in support costs at this point if they left it on that it was never an option for them.

anyways, i turned it on (SELINUX=enforcing) and it seems that one extra boolean that needs to be set is:

# setsebool -P syslogd_disable_trans=1

otherwise plesk can't write to /usr/local/psa/var/log (and possibly elsewhere?). this can probably be easily fixed with some additional policy, but i have yet to have a chance to really learn anything about selinux.

oh, other thing i noticed is that the booleans in the post above that i quoted had a typo in the page i took them from, which i've corrected in that post. it should be mysqld_disable_trans not mysql_disable_trans.

my hope is that sw-soft would do the smart thing and hire redhat or some redhat selinux person to write the custom policies to make everything work 100% without turning off which daemons get enforced. for something so new and easily screw-up-able, it seems to me the smartest thing to do, as opposed to doing nothing or trying to do it in-house. i have a bad feeling they will instead not support selinux officially for a year or more. i guess we'll see... please prove me wrong, sw-soft.

 

[revolution]

i was still getting these in /var/log/messages after my earlier policy changes:

kernel: audit(1135631397.797:13): avc: denied { getattr } for pid=30639 comm="rndc" name="rndc.conf" dev=sda5 ino=3702923 scontext=root:system_r:
ndc_t tcontext=rootbject_r:named_zone_t tclass=file

i found that i also had to do the following to allow plesk to handle the dns stuff properly (though i didn't test exactly what worked and didn't, plesk wasn't able to restart bind and i was getting selinux errors in the log files):

edit the file /etc/selinux/targeted/contexts/files/file_contexts and add the following (for example, add it right below the existing section for rndc, don't remove or change any of the existing lines, just add these new ones):

/var/named/run-root/etc/rndc.*  --      system_u:object_r:named_conf_t
/var/named/run-root(/.*)?         system_u:object_r:named_conf_t
/var/named/run-root/dev/null   -c system_u:object_r:null_device_t
/var/named/run-root/dev/random -c system_u:object_r:random_device_t
/var/named/run-root/dev/zero -c   system_u:object_r:zero_device_t
/var/named/run-root/etc(/.*)?     system_u:object_r:named_conf_t
/var/named/run-root/etc/rndc.key  -- system_u:object_r:dnssec_t
/var/named/run-root/var/run/named.* system_u:object_r:named_var_run_t
/var/named/run-root/var/tmp(/.*)? system_u:object_r:named_cache_t
/var/named/run-root/var/named(/.*)?       system_u:object_r:named_zone_t
/var/named/run-root/var/named/slaves(/.*)? system_u:object_r:named_cache_t
/var/named/run-root/var/named/data(/.*)? system_u:object_r:named_cache_t
/var/named/run-root/var/named/named\.ca   --      system_u:object_r:named_conf_t

and then set the context (or whatever the term is) of the /var/named/run-root directory and all of its contents:

restorecon -Rv /var/named/run-root

that seems to have gotten rid of my plesk errors about restarting bind and the selinux getattr errors showing up in /var/log/messages for rndc.

an explanation of why: plesk is using a symlink from /etc/rndc.conf to a file in /var/named/run-root that doesn't have a file context defined. plesk is also using /var/named/run-root but there are only contexts defined for bind being chroot'd in the /var/named/chroot directory.