OTRS與SELINUX

SELINUX是LINUX系統裡很重要的資安要件,內定安裝都會啟動在ENFORCING狀態 不過在很多OTRS的安裝說明裡,都會告知各位一件事,不支援SELINUX,會要求你將SELINUX的狀態改成PERMISSIVE的鬆散狀態,即會通知你資安的事件,但不會強制制止不應該有的資安問題事件 大家都知道,資安的最高原則永遠是只開啟最適當最小的權限在你的系統裡!!因此我也出於好奇而開始尋找如何使OTRS與SELINUX並存的方法。 在GOOGLE過後,最清楚的是這一篇 http://gergely.polonkai.eu/blog/2013/5/6/installing-otrs-in-fedora-18-with-selinux-enabled/ 此篇有稍微留一手,首先是有一個小錯誤, 在httpd_script_exec_t 這裡不對,應該是httpd_sys_script_exec_t才對 另外它沒有說明那些目錄需要全部繼承httpd_sys_rw_content_t的權限,它只指出你可以用”/opt/otrs/(/.*)?”的語法來使底下子目錄全部繼承,不然你要一個一個目錄授權到昏倒的 如果你按照此篇文章,我相信你在啟動OTRS時,仍然會看到FATAL ERROR(嚴重的錯誤)的警告,完全無法成功進入OTRS. (PS: 文中所提的,也請按照他說的做完,再加上我的補充即可) 根據我的個人經驗,我的環境是CENTOS 7, OTRS5.0.3目前最新的版本,以下幾個目錄你是必須開啟的,語法如下: semanage fcontext -a -t httpd_sys_rw_content_t “/opt/otrs/var/tmp(/.*)? semanage fcontext -a -t httpd_sys_rw_content_t “/opt/otrs/var/httpd/htdocs/js/js-cache(/.*)?” semanage fcontext -a -t httpd_sys_rw_content_t “/opt/otrs/var/httpd/htdocs/skins/Agent/default/css-cache(/.*)?” 以上指令下完後,再下這個指令 restorecon -Rv /opt/otrs 後來還出現了抱怨無法連入MYSQL資料庫的錯誤訊息,這只要加入此命令即可, setsebool httpd_can_network_connect_db=1 如此就大功告成囉!! 特意附圖,有圖有真相,注意圖右下角的時間是一致的

MWSnap018 2015-11-08, 21_18_12

目前時間九點十八分,SELINUX模式為ENFORCING

MWSnap019 2015-11-08, 21_18_43

目前時間九點十八分,已成功登入OTRS (圖點擊可再放大)

附註: 因怕未來此文章在網路消失,所以以下供各位參考 以下文章轉述自http://gergely.polonkai.eu/blog/2013/5/6/installing-otrs-in-fedora-18-with-selinux-enabled/

Installing OTRS in Fedora 18 with SELinux enabled

 
Gergely Polonkai
May 6, 2013 :: 08:01
 

I’ve read somewhere in an OTRS installation howto that if you want to install OTRS, you will have to disable SELinux. Well, I won’t. During the last few months, I have been using Fedora 18 with SELinux on all of my desktop machines and on my notebook, and I had no problems at all. Meanwhile I got familiar with SELinux itself, and got used to solving problems caused by it. So I started tail -f /var/log/httpd/error_log in one terminal (to see if something Apache related thing appears), tail -f /var/log/audit/audit.log in another (to see errors caused by SELinux), opened the admin manual at the installation chapter, took a deep breath, and went on. Throughout this article, I will refer to OTRS 3.2.6 as OTRS and Fedora 18 (with only “stock” repositories) as Fedora. I assume that you have already installed OTRS in a non-SELinux environment before, and that you have at least some basic knowledge about SELinux, MAC, RBAC, and all the like. I’m installing OTRS in /opt/otrs, so if you install it somewhere else, you will have to modify the paths below. Also, if you happen to install under /var/www (I wouldn’t recommend it), that directory already has the httpd_sys_content_t type, so you won’t have to set it explicitly. As the first step I have unpacked the archive to /opt/otrs. This directory is the OTRS default, many config files have it hardcoded, and changing it is no easy task. Running otrs.CheckModules.pl gave me a list of missing perl modules. Red Hat and Fedora makes it easy to install these, as you don’t have to know the RPM package name, just the perl module name:

yum install 'perl(Crypt::SSLeay)'
            'perl(DBD::Pg)'
            'perl(GD)'
            'perl(JSON::XS)'
            'perl(GD::Text)'
            'perl(GD::Graph)'
            'perl(Mail::IMAPClient)'
            'perl(Net::DNS)'
            'perl(PDF::API2)'
            'perl(Text::CSV_XS)'
            'perl(YAML::XS)'

I also needed to install mod_perl. Although otrs.CheckModules.pl didn’t mention it, the default settings use syslog as the logging module, so unless you change it in Config.pm, you will also need to install 'perl(Unix::Syslog)', either. The default SELinux policy doesn’t permit any network connection to be initiated by Apache httpd. As OTRS needs to connect to its database, you need to enable it explicitly. In older distributions, the httpd_can_network_connect was the SELinux boolean for this, but recent installations also have a httpd_can_network_connect_db flag. As far as I know, this enables all network connections to the well-known database servers’ default port, but I will have to check for it. For me, with a MySQL listening on its standard port, the setsebool httpd_can_network_connect_db=1 command just did it. With SELinux enabled, Apache won’t be able to read anything that’s not marked with the httpd_sys_content_t type, nor write anywhere without the httpd_sys_rw_content_t type. The trivial, quick and dirty solution is to label all the files as httpd_sys_rw_content_t, and let everything go. However, the goal of SELinux is just the opposite of this: grant access only to what is really needed. After many trial-and-error steps, it finally turned out that for OTRS to work correctly, you must set

  • httpd_sys_content_t
    • on /opt/otrs/var/httpd/htdocs
  • httpd_script_exec_t
    • on /opt/otrs/bin/cgi-bin
  • httpd_sys_rw_content_t
    • on /opt/otrs/Kernel
    • on /opt/otrs/var/sessions
    • on /opt/otrs/var/log (unless you use syslog for logging)
    • on /opt/otrs/var/packages (this is used only when you download an .opm package)
    • on /opt/otrs/var/stats
    • on /opt/otrs/var/tmp
    • on /opt/otrs/bin (I wonder why this is required, though)

To do this, use the following command:

# semanage fcontext -a -t <context> <directory regex>

Where <directory regex> is something like /opt/otrs/Kernel(/.*)?. When this is done, all you have to do is running restorecon -vR /opt/otrs so it will relabel everything with the correct types (you can omit -v, I just like to see what my software does). The last thing I faced is that Fedora is more restrictive on reading directories other than /var/www. It has a Require all denied on <Directory />, and a Require all granted on <Directory /var/www>, so /opt/otrs/var/httpd/htdocs will throw a 403 Forbidden (client denied by server configuration) error. To get rid of this, I had to modify scripts/apache2-httpd.include.conf and add Require all granted to both the cgi-bin and htdocs directories. As I will have to use OTRS in a production environment soon with SELinux enabled, it is more than sure that this list will change in the near future. As there are no official documentation on this (I haven’t find one yet), I have to do it with the trial-and-error way, so be patient!

Print Friendly, PDF & Email

發表迴響