Difference between revisions of "EPrints and SELinux"

From EPrints Documentation
Jump to: navigation, search
(Fixed libreoffice link)
(eprints.te)
Line 108: Line 108:
 
  /opt/eprints3/site_lib/bin/tools/stitchPDFs    unconfined_u:object_r:httpd_sys_script_exec_t:s0
 
  /opt/eprints3/site_lib/bin/tools/stitchPDFs    unconfined_u:object_r:httpd_sys_script_exec_t:s0
  
=== eprints.te ===
+
  module eprints 1.2;
  module eprints 1.0;
+
 
 
 
  require {
 
  require {
 
         type cgroup_t;
 
         type cgroup_t;
 +
        type fusefs_t;
 +
        type http_port_t;
 
         type httpd_sys_content_t;
 
         type httpd_sys_content_t;
 
         type httpd_sys_rw_content_t;
 
         type httpd_sys_rw_content_t;
Line 118: Line 119:
 
         type httpd_sys_script_t;
 
         type httpd_sys_script_t;
 
         type httpd_t;
 
         type httpd_t;
 +
        type init_t;
 +
        type modules_object_t;
 +
        type mysqld_db_t;
 +
        type mysqld_etc_t;
 +
        type mysqld_t;
 +
        type mysqld_var_run_t;
 +
        type nrpe_t;
 
         type shadow_t;
 
         type shadow_t;
         class file { getattr open read };
+
        type smtp_port_t;
 +
        type unconfined_service_t;
 +
        type var_run_t;
 +
        class dir { add_name create getattr open read remove_name rmdir search setattr write };
 +
         class file { create execute execute_no_trans getattr ioctl map open read rename unlink write };
 +
        class lnk_file { getattr read };
 +
        class sock_file { write };
 +
        class tcp_socket{ name_connect };
 +
        class unix_stream_socket { connectto };
 
  }
 
  }
 
   
 
   
  # Only need for coversheets, considering commenting out otherwise.
+
  # Required by the HTTP webserver
  allow httpd_t cgroup_t:file { getattr open read };
+
allow httpd_t http_port_t:tcp_socket { name_connect };
 +
allow httpd_t httpd_sys_content_t:dir { add_name create remove_name setattr write };
 +
allow httpd_t httpd_sys_content_t:file { create rename unlink write };
 +
allow httpd_t smtp_port_t:tcp_socket { name_connect };
 +
allow httpd_t unconfined_service_t:dir { getattr };
 +
 +
# Requiired by init processes
 +
allow init_t httpd_sys_content_t:file { create execute execute_no_trans ioctl open read };
 +
allow init_t httpd_sys_rw_content_t:dir { add_name remove_name };
 +
allow init_t httpd_sys_rw_content_t:file { ioctl open read unlink write };
 +
allow init_t mysqld_t:unix_stream_socket { connectto };
 +
 +
# Required for Icinga NRPE checks
 +
allow nrpe_t httpd_sys_content_t:dir { read };
 +
allow nrpe_t httpd_sys_content_t:file { getattr };
 +
allow nrpe_t httpd_sys_rw_content_t:dir { search };
 +
allow nrpe_t httpd_sys_rw_content_t:file { getattr open read };
 +
allow nrpe_t modules_object_t:dir { search };
 +
allow nrpe_t modules_object_t:file { getattr };
 +
allow nrpe_t modules_object_t:lnk_file { getattr read };
 +
allow nrpe_t mysqld_t:unix_stream_socket { connectto };
 +
allow nrpe_t mysqld_db_t:dir { search };
 +
allow nrpe_t mysqld_etc_t:dir { getattr open read search };
 +
  allow nrpe_t mysqld_etc_t:file { getattr open read };
 +
allow nrpe_t mysqld_var_run_t:sock_file { write };
 +
 +
# Only needed for coversheets, considering commenting out otherwise.
 
  allow httpd_t shadow_t:file { getattr open read };
 
  allow httpd_t shadow_t:file { getattr open read };
 +
 +
# Only needed for Shibboleth authentication, consider commenting out otherwise.
 +
allow httpd_t var_run_t:sock_file { write };
 +
 +
# Only needed for SSH FuseFS
 +
allow httpd_t fusefs_t:dir { add_name create read remove_name rmdir setattr write };
 +
allow httpd_t fusefs_t:file { create getattr ioctl map open read rename unlink write };
  
 
=== redo.sh ===
 
=== redo.sh ===

Revision as of 18:22, 4 August 2022

This page is intended to write a rough set of instructions for how to get a CentOS 7 system setup with SELinux enforcing so EPrints 3.4 (with site_lib) runs without any issues. This guidance will be applicable to other versions of CentOS as well as RHEL and Fedora. Furthermore, it may be applicable for enabling SELinux on other Linux operatings ystems.

N.B. All commands described below need to be run as the root user or using sudo.

Apache Configuration

  • Set the httpd user and group to Apache (rather than eprints like is currently used on our hosted CentOS 7 VMs) in /etc/httpd/conf/httpd.conf.
User apache
Group apache

System Users and Groups

  • Add eprints to the apache group and apache to the eprints group (so that /etc/group for these looks something like the following, order does not matter):
apache:x:48:eprints
eprints:x:1000:apache

Changing Directory Permissions and SELinux Contexts

In general when a new EPrints root is deployed in /opt/eprints3/ this directory has been setup to have eprints as its owner and group with permissions set to 2775 (drwxrwsr-x). This should generally ensure that all subdirectories will share the same permissions when checked out from SVN/Git and all files will get the permissions 0664 (-rw-rw-r--). If directories of files to not have at least these permissions (with the exception of and SSL keys) then these permissions should be added. svn:executable should be set on appropriate files so when they are checked out they should have 0775 (-rwxrwxr-x) permissions.

What will need to be changed are the SELinux contexts of various directory. This is the list compiled so far for the changes required. It is assumed the command are run from the /opt/eprints3/ directory:

chcon -R -t httpd_sys_content_t archives/
chcon -R -t httpd_sys_content_t flavours/
chcon -R -t httpd_sys_content_t ingredients/
chcon -R -t httpd_sys_content_t site_lib/
chcon -R -t httpd_sys_rw_content_t archives/ARCHIVENAME/cfg/
chcon -R -t httpd_sys_rw_content_t archives/ARCHIVENAME/documents/
chcon -R -t httpd_sys_rw_content_t archives/ARCHIVENAME/html/
chcon -R -t httpd_sys_rw_content_t archives/ARCHIVENAME/var/
chcon -R -t httpd_sys_rw_content_t lib/
chcon -R -t httpd_sys_rw_content_t tmp/
chcon -R -t httpd_sys_rw_content_t var/

Setting SELinux Booleans

You will definitely need to modify the SELinux boolean so that Apache (httpd) to be able to send email:

setsebool -P httpd_can_sendmail 1

Unless you are running an absolutely vanilla repository you will almost certainly need to allow APache (httpd) to connect to the network:

setsebool -P httpd_can_network_connect 1

In particular this should allow EPrints to connect to LDAP to authenticate user login and allow connecting to remote detabases. There are also the following options for these two things but httpd_can_network_connect should be sufficient.

setsebool -P httpd_can_connect_ldap 1
setsebool -P httpd_can_network_connect_db 1

By default the following booleans for httpd should be set on:

httpd_enable_cgi
httpd_builtin_scripting
httpd_graceful_shutdown

There is no need to turn any of these off. However, the httpd_builtin_scripting is probably not needed as ModPerl uses httpd_enable_cgi, which definitely should not be turned off. Having httpd_graceful_shutdown is useful for reloading Apache after making changes to EPrints configuration.

Extra settings for OpenOffice/Coversheets

This assumes switching to use packaged LibreOffice and UNO converter as detailed here.

  • The following changes are need so that httpd can execute things for coversheets:
chcon -t httpd_sys_script_exec_t "/PATH/TO/stitchPDFs"
setsebool -P httpd_execmem 1
  • Ensure the httpd can manage TCP port 2002 that OpenOffice listens on:
semanage port -a -t http_port_t -p tcp 2002
  • Add executables and invocation lines for openoffice to /opt/eptints3/EPrints/SystemSettings.pm
# invocation
openoffice' => '/usr/lib64/libreoffice/program/soffice.bin',
# executable
openoffice' => '$(openoffice) "-accept=socket,host=localhost,port=2002;urp;StarOffice.ServiceManager" -norestore -nofirststartwizard -nologo -headless',


  • Make sure $ENV{'HOME'} as well as $ENV{'TMPDIR'} is set to /opt/eprints3/tmp/ in the appropriate session.pl

Extra settings for MePrints

chcon -t httpd_sys_rw_content_t "/opt/eprints3/archives/ARCHIVENAME/meprints"

Testing

I have tested and have been able to successfully install the following Bazaar plugin:

  • Dates, Dates, Dates
  • Generic Reporting Framework
  • IRStats2
  • RIOXX2
  • REFCC (hefce_oa)
  • Coversheets
  • OpenOffice
  • MePrints

However there are some issue with OpenOffice saying it is running when it is not and not being able to get soffice.bin actually running as a result. You can upload and frontfile.odt file as a coversheet and this will get stored under cfg/static/coversheets/ in the archive.

If you install MePrints you subsequently need to create archives/ARCHIVENAME/meprints directory and then run:

chcon -R -t httpd_sys_rw_content_t archives/ARCHIVENAME/meprints/

Otherwise, the above Bazaar plugins need to be tested to make sure they are full functional along with other functionality of the repository like: the phrase editor, "edit this page", storage manger, subjects editor, send test email, etc.

Policy file

First install the following packages:

yum install checkpolicy policycoreutils-python

Then put all these files under /home/eprints/policy/

eprints.fc

# SELinux file contexts for EPrints

/opt/eprints3/archives(/.*)?                    unconfined_u:object_r:httpd_sys_content_t:s0
/opt/eprints3/flavours(/.*)?                    unconfined_u:object_r:httpd_sys_content_t:s0
/opt/eprints3/ingredients(/.*)?                 unconfined_u:object_r:httpd_sys_content_t:s0
/opt/eprints3/site_lib(/.*)?                    unconfined_u:object_r:httpd_sys_content_t:s0
/opt/eprints3/archives/[^/]*/bin(/.*)?          unconfined_u:object_r:httpd_sys_rw_content_t:s0
/opt/eprints3/archives/[^/]*/cfg(/.*)?          unconfined_u:object_r:httpd_sys_rw_content_t:s0
/opt/eprints3/archives/[^/]*/cgi(/.*)?          unconfined_u:object_r:httpd_sys_rw_content_t:s0
/opt/eprints3/archives/[^/]*/documents(/.*)?    unconfined_u:object_r:httpd_sys_rw_content_t:s0
/opt/eprints3/archives/[^/]*/html(/.*)?         unconfined_u:object_r:httpd_sys_rw_content_t:s0
/opt/eprints3/archives/[^/]*/var(/.*)?          unconfined_u:object_r:httpd_sys_rw_content_t:s0
/opt/eprints3/lib(/.*)?                         unconfined_u:object_r:httpd_sys_rw_content_t:s0
/opt/eprints3/tmp(/.*)?                         unconfined_u:object_r:httpd_sys_rw_content_t:s0
/opt/eprints3/var(/.*)?                         unconfined_u:object_r:httpd_sys_rw_content_t:s0
/opt/eprints3/site_lib/bin/tools/stitchPDFs     unconfined_u:object_r:httpd_sys_script_exec_t:s0
module eprints 1.2;
require {
        type cgroup_t;
        type fusefs_t;
        type http_port_t;
        type httpd_sys_content_t;
        type httpd_sys_rw_content_t;
        type httpd_sys_script_exec_t;
        type httpd_sys_script_t;
        type httpd_t;
        type init_t;
        type modules_object_t;
        type mysqld_db_t;
        type mysqld_etc_t;
        type mysqld_t;
        type mysqld_var_run_t;
        type nrpe_t;
        type shadow_t;
        type smtp_port_t;
        type unconfined_service_t;
        type var_run_t;
        class dir { add_name create getattr open read remove_name rmdir search setattr write };
        class file { create execute execute_no_trans getattr ioctl map open read rename unlink write };
        class lnk_file { getattr read };
        class sock_file { write };
        class tcp_socket{ name_connect };
        class unix_stream_socket { connectto };
}

# Required by the HTTP webserver
allow httpd_t http_port_t:tcp_socket { name_connect };
allow httpd_t httpd_sys_content_t:dir { add_name create remove_name setattr write };
allow httpd_t httpd_sys_content_t:file { create rename unlink write };
allow httpd_t smtp_port_t:tcp_socket { name_connect };
allow httpd_t unconfined_service_t:dir { getattr };

# Requiired by init processes
allow init_t httpd_sys_content_t:file { create execute execute_no_trans ioctl open read };
allow init_t httpd_sys_rw_content_t:dir { add_name remove_name };
allow init_t httpd_sys_rw_content_t:file { ioctl open read unlink write };
allow init_t mysqld_t:unix_stream_socket { connectto };

# Required for Icinga NRPE checks
allow nrpe_t httpd_sys_content_t:dir { read };
allow nrpe_t httpd_sys_content_t:file { getattr };
allow nrpe_t httpd_sys_rw_content_t:dir { search };
allow nrpe_t httpd_sys_rw_content_t:file { getattr open read };
allow nrpe_t modules_object_t:dir { search };
allow nrpe_t modules_object_t:file { getattr };
allow nrpe_t modules_object_t:lnk_file { getattr read };
allow nrpe_t mysqld_t:unix_stream_socket { connectto };
allow nrpe_t mysqld_db_t:dir { search };
allow nrpe_t mysqld_etc_t:dir { getattr open read search };
allow nrpe_t mysqld_etc_t:file { getattr open read };
allow nrpe_t mysqld_var_run_t:sock_file { write }; 

# Only needed for coversheets, considering commenting out otherwise.
allow httpd_t shadow_t:file { getattr open read };

# Only needed for Shibboleth authentication, consider commenting out otherwise.
allow httpd_t var_run_t:sock_file { write };

# Only needed for SSH FuseFS
allow httpd_t fusefs_t:dir { add_name create read remove_name rmdir setattr write };
allow httpd_t fusefs_t:file { create getattr ioctl map open read rename unlink write };

redo.sh

After running be sure to run "restorecon -R" on "/opt/eprints3/" and /"opt/openoffice.org3/":

#!/bin/bash

rm -f eprints.mod eprints.pp 

# Build the policy package (.pp) file from type enforcement (.te) and file contexts (.fc) files.
checkmodule -M -m -o eprints.mod eprints.te
semodule_package -o eprints.pp -m eprints.mod -f eprints.fc

# Install it.
semodule -i eprints.pp