Forum
SELinux causes: Can't change access permissions of work directory '/var/lib/hiawatha'
muhlemmer
21 June 2014, 10:12
Hiawatha version: www-servers/hiawatha-9.5 USE="cache ipv6 rewrite ssl xslt -debug -monitor -rproxy -tomahawk"
Operating System: Gentoo Linux (hardened/linux/amd64/selinux)
Good day,
I am new to both Hiawatha and SELinux. After carefully reading documentation of both of them, I entered a bug report with a modification to the httpd policy.
Bassicly, the profile modification only consisted of changing some file contexts, to make hiawatha run in the httpd_t type domain:
Now we have stumbled upon a glitch. Hiawatha seems to want to change the permissions of the work directory /var/lib/hiawatha every time. Even if the permissions are already correct. Now, the policy maintainer of Gentoo does not call it a real bug, but "it's not nice".
I guess this bug is similair to https://www.hiawatha-webserver.org/forum/topic/459/#3552, which is having the same issues with apparmor.
The Gentoo bug report and discussion can be found at: https://bugs.gentoo.org/show_bug.cgi?id=513362
Operating System: Gentoo Linux (hardened/linux/amd64/selinux)
Good day,
I am new to both Hiawatha and SELinux. After carefully reading documentation of both of them, I entered a bug report with a modification to the httpd policy.
Bassicly, the profile modification only consisted of changing some file contexts, to make hiawatha run in the httpd_t type domain:
/etc/hiawatha(/.*)? all files system_u:object_r:httpd_config_t
/usr/bin/ssi-cgi regular file system_u:object_r:httpd_exec_t
/usr/sbin/cgi-wrapper regular file system_u:object_r:httpd_exec_t
/usr/sbin/hiawatha regular file system_u:object_r:httpd_exec_t
/usr/sbin/wigwam regular file system_u:object_r:httpd_exec_t
/var/lib/hiawatha(/.*)? all files system_u:object_r:httpd_var_lib_t
/var/log/hiawatha(/.*)? all files system_u:object_r:httpd_log_t
Now we have stumbled upon a glitch. Hiawatha seems to want to change the permissions of the work directory /var/lib/hiawatha every time. Even if the permissions are already correct. Now, the policy maintainer of Gentoo does not call it a real bug, but "it's not nice".
- Now, we could loosen up the policy to allow httpd_t to do this kind of action, but probably this is not going to happen
- The maintainer suggests to create a specific hiawatha boolean, but this will complicate things for end users
- I would like to ask you: is it really neccesary to change the permissions at every start, or can it be dealed with after a check?
I guess this bug is similair to https://www.hiawatha-webserver.org/forum/topic/459/#3552, which is having the same issues with apparmor.
The Gentoo bug report and discussion can be found at: https://bugs.gentoo.org/show_bug.cgi?id=513362
Hugo Leisink
22 June 2014, 16:27
I will fix this for the next release. Will take a look at all the directories and files Hiawatha creates.
This topic has been closed.
Copyright © by Hugo Leisink. All rights reserved.
Built upon the Banshee PHP framework.
Built upon the Banshee PHP framework.
