selinux

RHEL6 – How to Setup an Anonymous Download Only FTP Server

/ Christopher Paquin / Leave a comment

Sticker,375x360A while back I spit out a post on how to configure an anonymous ftp server that allowed uploads and downloads, which you can find here.

Its a very exciting read and will tell you everything that you need to know to get you up and running with an anonymous ftp server. However those instructions are specifically for a server that allows anonymous uploads as well as downloads. So today we are going to go over only the steps for anonymous download, which is actually much easier.

Basic Install & Configuration

So first lets install vsftp.

# yum -y install vsftpd && service vsftpd start && chkconfig vsftpd on

Then edit /etc/vsftp/vsftpd.conf and make sure that the following line is uncommented.

anonymous_enable=YES

You should also be aware of the following configuration directive. By setting local enable to no in /etc/vsftp/vsftpd.conf, you disallow local Unix users access to ftp, which ensures that your ftp server is truly anonymous only.

local_enable=no

Now restart vsftpd and you should be in business

Testing Anonymous Download

To test ftp you need an ftp client, which can be installed via yum as seen below.

yum -y install ftp

Then you should be able to ftp to localhost like as seen below and get a file. Note that an anonymous login does not a password

# ftp localhost
Trying 127.0.0.1…
Connected to localhost (127.0.0.1).
220 (vsFTPd 2.2.2)
Name (localhost:root): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (127,0,0,1,170,125).
150 Here comes the directory listing.
drwxr-xr-x    2 0        0            4096 Aug 30 15:37 pub
-rw-r–r–    1 0        0               0 Aug 30 15:39 test2
-rw-r–r–    1 0        0               0 Aug 30 15:38 testfile
226 Directory send OK.
ftp> get test2

The same test executed as root ( a local user) should fail as seen below.

# ftp localhost
Trying 127.0.0.1…
Connected to localhost (127.0.0.1).
220 (vsFTPd 2.2.2)
Name (localhost:root): root
530 This FTP server is anonymous only.
Login failed.
ftp>

Unix File Permissions and SELinux

One of the things that can ruin your day when it comes to getting and ftp server up and running is SELinux. However when setting up an anonymous download ftp server using the default ftp root directory you don’t actually need to change anything.

By default your ftp root directory is going to be /var/ftp/, and its SELinux context and default perms are going to be as seen below.

drwxr-xr-x. root root system_u:object_r:public_content_t:s0 /var/ftp

Here the default context is public_content_t which by allows reads but not writes, and the default Unix perms allow reads and not writes.

Changing Default FTP Root Directory

If you wanted to change anonymous vsftp to use a different root directory (other than /var/ftp) you would need to add the following line to /etc/vsftpd/vsftpd.conf. In the example below I am setting my new ftp root to /shared/ftp

anon_root=/shared/ftp

You are also going to need to asign the correct SELinux file context (public_content_t) to your new directory.

# semanage fcontext -a -t public_content_t “/shared/ftp(/.*)?”

# restorecon -vvFR /shared/ftp

Configuration Differences Between Anon Upload and Download

So as I stated above its actually a bit easier to configure an anonymous download only ftp server, than it is to configure it to allow uploads as well.  This section for reference only, my post on configuring anonymous upload and download ftp server can be reference here.

First you will need to assign a different SELinux context. Its public_content_rw_t not public_content_t.

# semanage fcontext -a -t public_content_rw_t ‘/var/ftp(/.*)’

# restorecon -vvFR /var/ftp

You will also need to fiddle with SELinux booleans

# setsebool -P allow_ftpd_anon_write=1

And we are also going to want to change the Unix permissions on our ftp root directory. Here we are changing group ownership to ftp and setting the setgid bit.

# chgrp ftp /var/ftp/
# chmod 2760 /var/ftp

Good luck and try not to break anything.

RHEL6 – SELinux Troubleshooting II: Electric Boogaloo

/ Christopher Paquin / Leave a comment

Little_Miss_Trouble_by_Percyfan94So a good while back I posted an article on how to troubleshoot SELinux violations and after reviewing that article as part of a troubleshooting exercise, I realized that I left out a few details. Needless to say my original article was not as clear as it should be. Anyway I wanted to use up a few more bytes of the internet to clarify.

When the package setroubleshoot-server is installed, SELinux violations will be sent to /var/log/messages, which makes it fairly easy to troubleshoot SELinux issues.

So first lets install setroubleshoot and all its parts

# yum install setroubleshoot*

In my case on RHEL6, the following packages were installed

setroubleshoot-plugins-3.0.40-1.el6.noarch
setroubleshoot-server-3.0.47-3.el6_3.x86_64
setroubleshoot-3.0.47-3.el6_3.x86_64

Note that the setroubleshoot-server is the one that you need to troubleshoot via the command line.

Now lets generate a violation. In this case I am just dropping a file with the wrong selinux context into /var/www/html and am trying to access it.

# touch /root/file3 && cp /root/index.html /var/www/html/file3

Check the context if you must to make sure that its not correct for httpd content. In this case you can see that it is not.

# ls -lZ /var/www/html/file3
-rwxrwxrwx. root root system_u:object_r:admin_home_t:s0 /var/www/html/file3

Now start Apache and try to access the file via elinks or a browser. You will get a Forbidden error, which I have omitted below.

# elinks -dump http://localhost/file3

Note that you may need to restart auditd if your message does not show up in the messages file.

Aug 11 17:08:39 vfatmin01 setroubleshoot: SELinux is preventing /usr/sbin/httpd from getattr access on the file /var/www/html/file3. For complete SELinux messages. run sealert -l 5a413022-af89-4222-b055-0cc1edc4bbad

Note: You will also find a the same error in /var/log/audit/audit.log, albeit in a bit less friendly format.

type=AVC msg=audit(1344719319.890:7196): avc:  denied  { getattr } for  pid=6765 comm=”httpd” path=”/var/www/html/file3″ dev=dm-1 ino=656718 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file

Anyway back to the error from the messages file. At the end of the error you are shown the UUID of the error and the sealert command to run to get more information on the error.

# sealert -l 5a413022-af89-4222-b055-0cc1edc4bbad

Output below:

SELinux is preventing /usr/sbin/httpd from getattr access on the file /var/www/html/file3.

*****  Plugin restorecon (99.5 confidence) suggests  *************************

If you want to fix the label.
/var/www/html/file3 default label should be httpd_sys_content_t.
Then you can run restorecon.
Do
# /sbin/restorecon -v /var/www/html/file3

Wow, sealert actually tells you why the file is being blocked and the commands that you should run to fix the problem. Nice!

RHEL6 -Configuring Apache Name-Based Virtual Hosts the Quick and Easy Way

/ Christopher Paquin / Leave a comment

Ghost_with_a_cellephone_cartoon_TVirtual Hosts allow you to serve up content for more then one website from one Apache instance. In named-based virtual hosting, multiple web sites all point back to one server with one ip address. Apache itself determines which site to serve up depening on the hostname used to reach the site.

Honestly is sounds more exciting than it is.

Note that before we get started you will need to have a DNS entry for both the domain names that you plan to use. In my case my primary webserver is my hostname and the virtual server is a CNAME.

Install Apache

First lets install and configure Apache to start at boot.

#  yum -y  install httpd && chkconfig httpd on && service httpd start

Configure Selinux

Ok lets make a directory for our virtual server under /var/www2

In order to keep things as simple as possible, I am going to configure SELinux now.  As you can see the original web directory of /var/www/ has a different context then our new directory of /var/www2

# ls -dZ /var/www
drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 /var/www

# ls -dZ /var/www2
drwxr-xr-x. root root unconfined_u:object_r:var_t:s0   /var/www2

So now we must change the context for /var/www2 to match /var/www

# semanage fcontext -a -t httpd_sys_content_t ‘ /var/www2

# restorecon -Rv ‘/var/www2

Ok now thats we have done that lets create some content for our webservers

For testing purposes, I am going to create an index.html in /var/www/html  that contains the text “fatmin01.mydomain”. This will be useful for testing.

Now lets create the directory /var/www2 for our second virtual host. Inside this directory we create an index.html that contains the text “fatmin02.mydomain”.

Because of the fact that we configured SELinux first, any file of directory created under /var/www2 will inherit the SELinux context of its parent directory. What does this mean? Well in a nut shell we dont have to worry about the permissions on our new index.html that we created above.

Configure Apache

Now we etc /etc/http/conf/httpd.conf. Make sure that the following line is uncommented. Its near the bottom of the file.

NameVirtualHost *:80

Now add the two sections below. One fo each virtual server.

<VirtualHost *:80>
ServerName fatmin01.mydomain
DocumentRoot /var/www/html
</VirtualHost>

<VirtualHost *:80>
ServerName fatmin02.mydomain
DocumentRoot /var/www2/html
</VirtualHost>

Boom – Now restart apache and test.

RHEL6 – Using Semanage and Restorecon to Modify SELinux File Contexts

/ Christopher Paquin / Leave a comment

Potty TrainingOk, how to keep this simple? Lets see…

Semanage:

Ok, semanage, when used with the fcontext argument, is used to define SELinux file contexts for file. It basically adds the new definition to the file,  /etc/selinux/targeted/contexts/files/file_contexts.

For example lets say that I create a new file called /root/foobar.

Using the command below I can see the default context that is assigned to a file created in /root

# ls -lZ foobar
-rw-r–r–. root root unconfined_u:object_r:admin_home_t:s0 foobar

Now lets say that I want to change the context of this file to public_content_t.  The first step to accomplish this is to define its new context.

# semanage fcontext -a -t public_content_t /root/foobar

Restorecon:

Now that the context type is defined we need to actually modify the current context of our file. So now you run restorecon against the file to actually make the change. Note: use -v for verbose.

# restorecon -v /root/foobar

restorecon reset /root/foobar context unconfined_u:object_r:admin_home_t:s0->unconfined_u:object_r:public_content_t:s0

Chcon:

There is also a command called chcon, that can also be used to change the defined context for a file. However I advise against using it as changes made using chcon will not survive a filesystem relabel. What is a filesystem relabel? Well according to wiki.centos.org, a relabel is defined below.

“Sometimes it is necessary to relabel the complete filesystem although this should only be necessary when enabling SELinux after it has been disabled or when changing the SELinux policy from the default targeted policy to strict.”

 

RHEL6 – Display and Modify SELinux Modes

/ Christopher Paquin / Leave a comment

There are three basic commands that you can use to display and modify SELinux modes. They are as follows

  • getenforce

  • setenforce

  • sestatus

The first two are installed as part of the package, libselinux-utils. The sestatus is installed as part of policycoreutils.

Setenforce will enable or disable SELinux temporarily. Use 0 to disable and 1 to enable as shown below.

#setenforce 0
#setenforce 1

If you need need your change to be persistent across reboots edit /etc/selinux/config.

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#       enforcing - SELinux security policy is enforced.
#       permissive - SELinux prints warnings instead of enforcing.
#       disabled - SELinux is fully disabled.
SELINUX=enforcing
# SELINUXTYPE= type of policy in use. Possible values are:
#       targeted - Only targeted network daemons are protected.
#       strict - Full SELinux protection.
SELINUXTYPE=targeted

Getenforce is used to query your SELinux Status as seen below

[root@vpaquin01 selinux]# getenforce 
Enforcing

Sestatus give you the same information as getenforce but in a bit more detail

[root@vpaquin01 selinux]# /usr/sbin/sestatus
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 24
Policy from config file:        targeted


RHEL6 – How to Setup an Anonymous FTP Server

/ Christopher Paquin / 1 Comment


tow-truck-driver-cartoon-character-final-coghillToday on the fatmin we are going to setup an ftp server on RHEL6 that accepts anonymous uploads. We are going to do so with SELinux support and will be making modifications to iptables as well. Sounds fun, right?

Installation:

First and formost we need to install vsftpd

# yum -y install vsftpd && service vsftpd start && chkconfig vsftpd on

Our anonymous upload directory will be /var/ftp/anon, and we need to change group ownership to the ftp group and then change permissions so that the members of that group can write to it. Note that no one other than root can read or execute anything under /var/ftp/anon.

# chgrp ftp /var/ftp/anon
# chmod 730 /var/ftp/anon
# ls -ld /var/ftp/anon
drwx-wx—. 3 root ftp 4096 Oct 19 13:34 /v1

SELinux Support:

Next we need to configure SELinux support and assign the correct context to the /v1 directory and its future contents. Note -a is add -t is type.

# semanage fcontext -a -t public_content_rw_t ‘/var/ftp/anon(/.*)’

Now lets go ahead and apply the new context. Note -vv is verbose, -F force and R is recursive

# restorecon -vvFR /var/ftp/anon

Now we need to get and set the allow_ftpd_anon_write boolean

# setsebool -P allow_ftpd_anon_write=1

Now lets check to make sure the setting “stuck”.

# getsebool -a | grep allow_ftpd_anon_write
allow_ftpd_anon_write –> on

Configure Vsftpd:

Now vi /etc/vsftpd/vsftpd.conf and ensure that the following configuration values are set and un-commented. Note that I had to add the last line to my config file.

anonymous_enable=YES

anon_upload_enable=YES

chown_uploads=YES

chown_username=daemon

anon_umask=077

Configure iptables:

Add the following to /etc/sysconfig/iptables-config. In my case I only needed to add the ip_nat_ftp part to the line

IPTABLES_MODULES=”nf_conntrack_ftp ip_nat_ftp”

Now you are going to want to make sure that these two lines exist in /etc/sysconfig/iptables.

-A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p tcp –dport 21 -j ACCEPT

Now restart iptables

Addendum:

Note that I ran into issues with the semanage command below.

# semanage fcontext -a -t public_content_rw_t ‘/var/ftp/anon(/.*)’

It seems that the context assigned to the /var/ftp/anon directory was not changing correctly from public_content_t to public_content_rw_t.

# ls -Zd /var/ftp
drwxrwxrwx. root root system_u:object_r:public_content_t:s0 /var/ftp

However when I checked the file_contexts file all looked correct.

# cat /etc/selinux/targeted/contexts/files/file_contexts.local/var/ftp/anon(/.*)    system_u:object_r:public_content_rw_t:s0

So I ran the chon command seen below and did not run the restorecon command. This worked as afterwards the context on the directory /var/ftp/anon was correct.

# chcon -R -t public_content_rw_t /var/ftp/anon

 

RHEL6 — Troubleshooting SELinux Violations

/ Christopher Paquin / Leave a comment

Sad_face1Dear Reader: Welcome to my third and not final installment on SELinux. The first two can be read here and here. They are exciting reads and are sure to have you on the edge of your seat.

Anyway, the best way to implement SELinux sucessfully is to know how to troubleshoot when things aren’t going your way. If you panic at the first sign of trouble, you are just going to end up turning off SELinux and not reap the rich rewards that it will bring you in life. Now that I have convinced you to run SELinux lets get started.

First install the package setroubleshoot, which will send SELinux messages to our messages file.

yum -y install setroubleshoot-server.x86_64

Now you can search the messages file for SELinux Violations. Use sealert -l UUID to find information on a specific incident, or sealert -a  /var/log/audit.log to search an entire log file for violations.

In this specfic example, I created a test file and dropped it in /var/www/html, however I did not set the context to httpd_sys_content_t, then i attempted to view the file in a browser. Obviously access was denied. The output of sealert shows me the error and then tells me how to fix it.

Summary:

SELinux is preventing /usr/sbin/httpd “getattr” access to /var/www/html/file3.

Detailed Description:

SELinux denied access requested by httpd. /var/www/html/file3 may be a
mislabeled. /var/www/html/file3 default SELinux type is httpd_sys_content_t, but
its current type is admin_home_t. Changing this file back to the default type,
may fix your problem.

…TRUNCATED…

Allowing Access:

You can restore the default system context to this file by executing the
restorecon command. restorecon ‘/var/www/html/file3’, if this file is a
directory, you can recursively restore using restorecon -R
‘/var/www/html/file3’.

Fix Command:

/sbin/restorecon ‘/var/www/html/file3’

Boom goes the dynomite! Problem solved.