EPrints and SELinux

From EPrints Documentation
Revision as of 16:08, 20 May 2020 by Drn@ecs.soton.ac.uk (talk | contribs) (Added page about SELinux with EPrints)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

This page is intended to write a rough set of instructions for how to get a CentOS 7 system setup with SELinux enforcing so EPrints 3.4 (with site_lib) runs without any issues. This guidance will be applicable to other versions of CentOS as well as RHEL and Fedora. Furthermore, it may be applicable for enabling SELinux on other Linux operatings ystems.

Apache Configuration

  • Set the httpd user and group to Apache (rather than eprints like is currently used on our hosted CentOS 7 VMs) in /etc/httpd/conf/httpd.conf.
User apache
Group apache

System Users and Groups

  • Add eprints to the apache group and apache to the eprints group (so that /etc/group for these looks something like the following, order does not matter):
apache:x:48:eprints
eprints:x:1000:apache

Changing Directory Permissions and SELinux Contexts

In general when a new EPrints root is deployed in /opt/eprints3/ this directory has been setup to have eprints as its owner and group with permissions set to 2775 (drwxrwsr-x). This should generally ensure that all subdirectories will share the same permissions when checked out from SVN/Git and all files will get the permissions 0664 (-rw-rw-r--). If directories of files to not have at least these permissions (with the exception of and SSL keys) then these permissions should be added. svn:executable should be set on appropriate files so when they are checked out they should have 0775 (-rwxrwxr-x) permissions.

What will need to be changed are the SELinux contexts of various directory. This is the list compiled so far for the changes required. It is assumed the command are run from the /opt/eprints3/ directory:

chcon -R -t httpd_sys_content_t archives/
chcon -R -t httpd_sys_content_t flavours/
chcon -R -t httpd_sys_content_t ingredients/
chcon -R -t httpd_sys_content_t site_lib/
chcon -R -t httpd_sys_rw_content_t archives/ARCHIVENAME/cfg/
chcon -R -t httpd_sys_rw_content_t archives/ARCHIVENAME/documents/
chcon -R -t httpd_sys_rw_content_t archives/ARCHIVENAME/html/
chcon -R -t httpd_sys_rw_content_t archives/ARCHIVENAME/var/
chcon -R -t httpd_sys_rw_content_t lib/
chcon -R -t httpd_sys_rw_content_t tmp/
chcon -R -t httpd_sys_rw_content_t var/

Setting SELinux Booleans

You will definitely need to modify the SELinux boolean so that Apache (httpd) to be able to send email:

setsebool -P httpd_can_sendmail 1

Unless you are running an absolutely vanilla repository you will almost certainly need to allow APache (httpd) to connect to the network:

setsebool -P httpd_can_network_connect 1

In particular this should allow EPrints to connect to LDAP to authenticate user login and allow connecting to remote detabases. There are also the following options for these two things but httpd_can_network_connect should be sufficient.

setsebool -P httpd_can_connect_ldap 1
setsebool -P httpd_can_network_connect_db 1

By default the following booleans for httpd should be set on:

httpd_enable_cgi
httpd_builtin_scripting
httpd_graceful_shutdown

There is no need to turn any of these off. However, the httpd_builtin_scripting is probably not needed as ModPerl uses httpd_enable_cgi, which definitely should not be turned off. Having httpd_graceful_shutdown is useful for reloading Apache after making changes to EPrints configuration.

Extra settings for OpenOffice/Coversheets

This assumes switching to use packaged LibreOffice and UNO converter as detailed here.

  • The following changes are need so that httpd can execute things for coversheets:
chcon -t httpd_sys_script_exec_t "/PATH/TO/stitchPDFs"
setsebool -P httpd_execmem 1
  • Ensure the httpd can manage TCP port 2002 that OpenOffice listens on:
semanage port -a -t http_port_t -p tcp 2002
  • Add executables and invocation lines for openoffice to /opt/eptints3/EPrints/SystemSettings.pm
# invocation
openoffice' => '/usr/lib64/libreoffice/program/soffice.bin',
# executable
openoffice' => '$(openoffice) "-accept=socket,host=localhost,port=2002;urp;StarOffice.ServiceManager" -norestore -nofirststartwizard -nologo -headless',


  • Make sure $ENV{'HOME'} as well as $ENV{'TMPDIR'} is set to /opt/eprints3/tmp/ in the appropriate session.pl

Extra settings for MePrints

chcon -t httpd_sys_rw_content_t "/opt/eprints3/archives/ARCHIVENAME/meprints"

Testing

I have tested and have been able to successfully install the following Bazaar plugin:

  • Dates, Dates, Dates
  • Generic Reporting Framework
  • IRStats2
  • RIOXX2
  • REFCC (hefce_oa)
  • Coversheets
  • OpenOffice
  • MePrints

However there are some issue with OpenOffice saying it is running when it is not and not being able to get soffice.bin actually running as a result. You can upload and frontfile.odt file as a coversheet and this will get stored under cfg/static/coversheets/ in the archive.

If you install MePrints you subsequently need to create archives/ARCHIVENAME/meprints directory and then run:

chcon -R -t httpd_sys_rw_content_t archives/ARCHIVENAME/meprints/

Otherwise, the above Bazaar plugins need to be tested to make sure they are full functional along with other functionality of the repository like: the phrase editor, "edit this page", storage manger, subjects editor, send test email, etc.

Policy file

First install the following packages:

yum install checkpolicy policycoreutils-python

Then put all these files under /home/eprints/policy/

eprints.fc

# SELinux file contexts for EPrints

/opt/eprints3/archives(/.*)?                    unconfined_u:object_r:httpd_sys_content_t:s0
/opt/eprints3/flavours(/.*)?                    unconfined_u:object_r:httpd_sys_content_t:s0
/opt/eprints3/ingredients(/.*)?                 unconfined_u:object_r:httpd_sys_content_t:s0
/opt/eprints3/site_lib(/.*)?                    unconfined_u:object_r:httpd_sys_content_t:s0
/opt/eprints3/archives/[^/]*/bin(/.*)?          unconfined_u:object_r:httpd_sys_rw_content_t:s0
/opt/eprints3/archives/[^/]*/cfg(/.*)?          unconfined_u:object_r:httpd_sys_rw_content_t:s0
/opt/eprints3/archives/[^/]*/cgi(/.*)?          unconfined_u:object_r:httpd_sys_rw_content_t:s0
/opt/eprints3/archives/[^/]*/documents(/.*)?    unconfined_u:object_r:httpd_sys_rw_content_t:s0
/opt/eprints3/archives/[^/]*/html(/.*)?         unconfined_u:object_r:httpd_sys_rw_content_t:s0
/opt/eprints3/archives/[^/]*/var(/.*)?          unconfined_u:object_r:httpd_sys_rw_content_t:s0
/opt/eprints3/lib(/.*)?                         unconfined_u:object_r:httpd_sys_rw_content_t:s0
/opt/eprints3/tmp(/.*)?                         unconfined_u:object_r:httpd_sys_rw_content_t:s0
/opt/eprints3/var(/.*)?                         unconfined_u:object_r:httpd_sys_rw_content_t:s0
/opt/eprints3/site_lib/bin/tools/stitchPDFs     unconfined_u:object_r:httpd_sys_script_exec_t:s0

eprints.te

module eprints 1.0;

require {
        type cgroup_t
        type httpd_sys_content_t;
        type httpd_sys_rw_content_t;
        type httpd_sys_script_exec_t;
        type httpd_sys_script_t;
        type shadow_t;
        class file { getattr open read};
}

# Only need for coversheets, considering commenting out otherwise.
allow httpd_t cgroup_t:file { getattr open read };
allow httpd_t shadow_t:file { getattr open read };

redo.sh

After running be sure to run "restorecon -R" on "/opt/eprints3/" and /"opt/openoffice.org3/":

#!/bin/bash

rm -f eprints.mod eprints.pp 

# Build the policy package (.pp) file from type enforcement (.te) and file contexts (.fc) files.
checkmodule -M -m -o eprints.mod eprints.te
semodule_package -o eprints.pp -m eprints.mod -f eprints.fc

# Install it.
semodule -i eprints.pp