EPrints Technical Mailing List Archive

See the EPrints wiki for instructions on how to join this mailing list and related information.

Message: #07343


< Previous (by date) | Next (by date) > | < Previous (in thread) | Next (in thread) > | Messages - Most Recent First | Threads - Most Recent First

Re: [EP-tech] CentOS / SELinux


Hi John,

So I think there is a happy medium but my experience is that people do not like spending forever battling SELinux, so someone has not come up with a comprehensive list.  I can add in a few more options to allow read/write for Bazaar plugin installation.  I would suggest:

chcon -R -h -t httpd_sys_script_rw_t [eprintspath]/lib/
chcon -R -h -t httpd_sys_script_rw_t [eprintspath/archives/[archivename]/bin/
chcon -R -h -t httpd_sys_script_rw_t [eprintspath]/archives/[archivename]/cgi/
chcon -R -h -t httpd_sys_script_rw_t [eprintspath/archives/[archivename]/cfg/
chcon -R -h -t httpd_sys_script_rw_t [eprintspath/archives/[archivename]/html/
chcon -R -h -t httpd_sys_script_rw_t [eprintspath/archives/[archivename]/var/

I am surprised archive level var and html are not already there, as I have to reckon that Apache would certainly create a lot of files in the latter and there are admin options that need to be able to update timestamp files in the archive's var directory.

If you have meprints you would also need:

chcon -R -h -t httpd_sys_script_rw_t [eprintspath/archives/[archivename]/meprints/

It may be easier to allow the whole archive directory but if you have an ssl directory with a key in it, you certainly would not want to leave open any way for Apache to be able to overwrite this.  As the Bazaar can install new bin and cgi script unfortunately you cannot lock down these directories at an archive level.  The cgi directory would be slightly easier to exploit, as the bin directory would reply on a cron job existing that runs the script or a command line user running it by hand.

That all said, it is probably sensible to use semanage rather than chcon, so that the rules persist, otherwise if restorecon is run all these rules would be lost.

Regards

David Newman


On Thu, 2018-06-28 at 09:34 +0000, John Salter wrote:
Hi All,
There's just been an exchange on the eprints-uk-user-group mailing list, where someone was having issues getting EPrints up and running. The root cause was SELinux.
 
On this page:
http://wiki.eprints.org/w/Installing_EPrints_on_RHEL/Fedora/CentOS#Using_SELinux
there is some advice - but it doesn't seem to cover any of the directories that things like the Bazaar would need access to (e.g. ~/lib/plugins/).
It also doesn't include [eprintspath]/archives/[repoid]/html/ - which means summary-pages fail to be written when an http request causes them to be regenerated.
 
This message (from 2015) http://threader.ecs.soton.ac.uk/lists/eprints_tech/21145.html suggests granting r/w permission for the whole eprints install directory (/usr/share/eprints/).
 
Is this the most sensible option?
Should e.g. ~/perl_lib, ~/bin, ~/cgi  be more locked down?
 
Cheers,
John
 
PS There is also this note: http://wiki.eprints.org/w/Troubleshooting#A_Note_on_SELinux - but that references EPrints2 - so probably a little outdated.
*** Options: http://mailman.ecs.soton.ac.uk/mailman/listinfo/eprints-tech
*** EPrints community wiki: http://wiki.eprints.org/
*** EPrints developers Forum: http://forum.eprints.org/