Tags:
create new tag
, view all tags

Setting up SELinux Policy to Allow TWiki

SELinux is a set of security policies that run in addition to the traditional Linux system of file permissions. This is what I did to get it to allow TWiki to run. It is a compilation of the information from the following pages:

First install TWiki as normal up until it is time to run configure - you can try, but apache will not serve anything and you will get a permission denied error (only the apache test page will show without error).

Next, make sure that you have the correct policy sources and SELinux tools installed. This will vary with distribution, but on Fedore Core 6 I needed to install the following packages:

  • checkpolicy
  • selinux-policy-devel

1. Create a temporary directory, and change into it.

$ mkdir foo
$ cd foo
2. Create empty te, if, and fc files.

$ touch twiki.te twiki.if twiki.fc

3. Edit the twiki.te file, adding appropriate content. For example:

policy_module(twiki, 1.0)
require {
        type httpd_sys_script_exec_t;
        type sbin_t;
        type tmp_t;
        type ls_exec_t;
        type httpd_tmp_t;
        type httpd_sys_script_t;
      }
allow httpd_sys_script_t httpd_sys_script_exec_t:dir read;
allow httpd_sys_script_t ls_exec_t:file getattr;
allow httpd_sys_script_t sbin_t:file getattr;
allow httpd_sys_script_t tmp_t:lnk_file read;
allow httpd_sys_script_t httpd_tmp_t:file { r_file_perms unlink write };

4. Build the policy module.

$ make -f /usr/share/selinux/devel/Makefile
Compliling targeted local module
/usr/bin/checkmodule:  loading policy configuration from tmp/twiki.tmp
/usr/bin/checkmodule:  policy configuration loaded
/usr/bin/checkmodule:  writing binary representation (version 5) to tmp/twiki.mod
Creating targeted local.pp policy package
rm tmp/twiki.mod.fc tmp/twiki.mod

5. Become root, and install the policy module with semodule.

$ su
Password:
# semodule -i twiki.pp
# exit

6. Now we set the SELinux permissions for the TWiki files using the commands below (in order). If you are using a different root directory for your TWiki installation, then you will need to modify the /var/www/ parts of these commands to match.

# chcon -R -u system_u -t httpd_sys_content_t /var/www/twiki
# chcon -R -t httpd_sys_script_exec_t /var/www/twiki/bin /var/www/twiki/templates /var/www/twiki/lib
# chcon -R -t httpd_sys_script_rw_t /var/www/twiki/data /var/www/twiki/pub
Apache should now be able to serve the TWiki pages and run configure, but it won't be able to write the changes to the twiki/bin/Locallib.cfg. It is best to enable such access only temporarily and the easiest way to do this is to use the setenforce command.

  1. setenforce 0 (turn off SELinux policies).
  2. Point your browser to http://localhost/twiki/bin/configure and make your configuration changes.
  3. setenforce 1 (turn on SELinux policies).

Congratulations! You are done and everything should work together nicely now. Of course you will need to finish off your install by registering yourself as a user (and an administrator) and tailoring your TWiki to have the look and feel that you want.

Disclaimer: I am not an SELinux expert and do not garuntee that this results in a completely secure system. That said, since SELinux policies run in addition to normal file permissions so I can't see how it could be any worse than running without SELinux. -- BenWatts - 28 Nov 2006

-- Contributors: BenWatts

Discussion

when i try to run semodule -i twiki.pp i am getting:

libsepol.permission_copy_callback: Module twiki depends on permission setkeycreate in class process, not satisfied
libsemanage.semanage_link_sandbox: Link packages failed
semodule:  Failed!

can you tell the solution? i am using fedora core 5. i am expecting your reply

-- BaskarNamazhwar - 18 Dec 2006

Please ask support questions in the Support web.

-- PeterThoeny - 19 Dec 2006

I found that the LatexModePlugin has problems under this setup. Not sure of the details just yet, but plan to update the page once I get time to figure the issue out.

-- BenWatts - 25 Jul 2007

Edit | Attach | Watch | Print version | History: r5 < r4 < r3 < r2 < r1 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r5 - 2007-07-25 - BenWatts
 
  • Learn about TWiki  
  • Download TWiki
This site is powered by the TWiki collaboration platform Powered by Perl Hosted by OICcam.com Ideas, requests, problems regarding TWiki? Send feedback. Ask community in the support forum.
Copyright © 1999-2017 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.