0

We are switching from a rhel7 webserver to Ubuntu 18.04. We currently have SELinux with file context set. We typically use this command in our rhel7 box:

chcon -R -t httpd_sys_rw_content_t /var/www/html/

I am trying to get file context setup in our Ubuntu server for AppArmor. When I run the above command in Ubuntu I get: 

chcon: can't apply partial context to unlabeled file 'filename'

I have read MANY things online, and all I get is I need to change the context to unconfined_u:object_r:httpd_sys_content_t:s0, or many variations of that, but I ALWAYS get the same result. I have even switched to SELinux and got the same result too.

This is my last blocker for getting this project completed and I have spent HOURS on this one issue. Maybe I have the whole idea of AppArmor wrong, but file context should still apply - right? How can I apply the context properly?

alexander7567
  • 170
  • 1
  • 10
  • Apparmor is not the same as selinux and personally I would not use selinux on Debian / Ubuntu. You can copy or TAR your files without selinux context , see https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security-enhanced_linux/sect-security-enhanced_linux-selinux_contexts_labeling_files-persistent_changes_semanage_fcontext . For apparmor, what problem are you having with apparmor ? – Panther Jun 15 '18 at 14:43
  • @Panther I have been approved to use either. I have seen that selinux hasn't had a lot of love for a while in Ubuntu. I would use either one if I could set the context of files. To my understanding, selinux sets the context of files and basically apache can only open files tagged as httpd files. I am doing this for a PCI environment, so it has to be done. I just basically follow the above command in rhel7 and if I don't the website does not work properly because it cannot access the files because they are not tagged. I need the same in Ubuntu. – alexander7567 Jun 15 '18 at 14:54
  • If you are trying to run selinux on Ubuntu, good luck to you, as you say "selinux hasn't had a lot of love for a while" . IMHO, if you are wanting selinux, stay with RHEL . If you are wanting to switch to Ubuntu, remove the selinux context from your files using the commands in "Procedure 5.9. Deleting an added Context" . This should not really be necessary as ubuntu does not use selinux, but if you are having a problem go ahead and remove the context. If you are having a problem with apparmor, you need to post your apparmor profile and the errors from the logs. – Panther Jun 15 '18 at 15:02
  • @Panther I would rather use AppArmor, and we have to use Ubuntu due to CVEs in RedHat that are not being updated. The problem is, my files have NO context. I cannot set the context. I am getting the above error. I have not made any configuration changes to AppArmor minus setting it to enforcing. – alexander7567 Jun 15 '18 at 15:05
  • Apparmor does not use selinux context and you can not fix apparmor by changing or setting selinux context. Apparmor uses profiles see https://help.ubuntu.com/lts/serverguide/apparmor.html.en . To debug apparmor see https://wiki.ubuntu.com/DebuggingApparmor . You need to post audit enteries from /var/log/kern.log – Panther Jun 15 '18 at 15:13
  • 1
    all the commands you posted are from selinux, not apparmor, and thus the command you are running probably will not work at all in debian or ubuntu nor will the fix any apparmor problem you might have. You are barking up the wrong tree. – Panther Jun 15 '18 at 15:15
  • @Panther Thanks, that is exactly what I needed to know. I just couldn't find any hard evidence online that I was. Is there any good tutorials online about configuring Apache securely with AppArmor? I have looked for that as well and have not found any. Most results are "just turn it off". – alexander7567 Jun 15 '18 at 15:17
  • 1
    It should work out of the box, but you would have to read up a bit on apparmor, the syntax is very easy, and modify the apache apparmor profile (back up the origional). You can put apparmor into complain mode. The advantage of apparmor is the syntax is easier to understand, the problem is if the default does not work you are sort of on your own. – Panther Jun 15 '18 at 15:29
  • 1
    If you get stuck with apparmor, post your profile and the messages in the logs – Panther Jun 15 '18 at 15:31
  • Thanks for all your help, maybe now that I know which direction to look, I can figure it out. If you submit an answer basically saying I'm looking at it wrong and those commands are for selinux and not apparmor, I will mark it as an answer. – alexander7567 Jun 15 '18 at 15:43
  • You may simply have a basic permissions problem. In debian / ubuntu apache runs as the use www-data, so the files need to be accessible to that user. See https://askubuntu.com/questions/46331/how-to-avoid-using-sudo-when-working-in-var-www for hints – Panther Jun 15 '18 at 15:48
  • selinux labels the file with something like user/role/file. What do you see when you enter ls -Z. I guess there won't be any label (that's why that error message). Also just to verify if selinux is setup and enforcing, see if you get proper feedback with getenforce & sestatus commands. Also try to stop apparmour before enabling selinux. If everything looks good then you can try running these for persistent changes. sudo semanage fcontext -a -t httpd_sys_rw_content_t "/var/www/html(/.*)?" and then sudo restorecon -Rv /var/www/html – SarkarG Jun 16 '18 at 13:47

0 Answers0