Stop Disabling SELinux!

I see a lot of people coming by #centos and similar channels asking for help when they’re experiencing a problem with their Linux system. It amazes me how many people describe their problem, and then say something along the lines of, “and I disabled SELinux...”. Most of the time SELinux has nothing to do with the problem, and if SELinux is the cause of the problem, why would you throw out the extra security by disabling it completely rather than configuring it to work with your application? This may have made sense in the Fedora 3 days when selinux settings and tools weren’t quite as fleshed out, but the tools and the default SELinux policy have come a long way since then, and it’s very worthwhile to spend a little time to understand how to configure SELinux instead of reflexively disabling it. In this post, I’m going to describe some useful tools for SELinux and walk through how to configure SELinux to work when setting up a Drupal web site using a local memcached server and a remote MySQL database server -- a pretty common setup for sites which receive a fair amount of traffic.

This is by no means a comprehensive guide to SELinux; there are many of those already!
http://wiki.centos.org/HowTos/SELinux
http://fedoraproject.org/wiki/SELinux/Understanding
http://fedoraproject.org/wiki/SELinux/Troubleshooting

Too Long; Didn’t Read Version

If you’re in a hurry to figure out how to configure SELinux for this particular type of setup, on CentOS 6, you should be able to use the following two commands to get things working with SELinux:
# setsebool -P httpd_can_network_connect_db 1
# setsebool -P httpd_can_network_memcache 1

Note that if you have files existing somewhere on your server and you move them to the webroot rather than untar them there directly, you may end up with SELinux file contexts set incorrectly on them which will likely deny access to apache to read those files. If you are having a related problem, you’ll see something like this in your /var/log/audit/audit.log:
type=AVC msg=audit(1324359816.779:66): avc: denied { getattr } for pid=3872 comm="httpd" path="/var/www/html/index.php" dev=dm-0 ino=549169 scontext=root:system_r:httpd_t:s0 tcontext=root:object_r:user_home_t:s0 tclass=file

You can solve this by resetting the webroot to its default file context using the restorecon command:
# restorecon -rv /var/www/html

Server Overview

I’m going to start with a CentOS 6 system configured with SELinux in targeted mode, which is the default configuration. I’m going to be using httpd, memcached, and PHP from the CentOS base repos, though the configuration wouldn’t change if you were to use the IUS PHP packages. MySQL will be running on a remote server which gives improved performance, but means a bit of additional SELinux configuration to allow httpd to talk to a remote MySQL server. I’ll be using Drupal 7 in this example, though this should apply to Drupal 6 as well without any changes.

Initial Setup

Here we will setup some prerequisites for the website. If you already have a website setup you can skip this section.

We will be using tools such as audit2allow which is part of the policycoreutils-python package. I believe this is typically installed by default, but if you did a minimal install you may not have it.
# yum install policycoreutils-python

Install the needed apache httpd, php, and memcached packages:
# yum install php php-pecl-apc php-mbstring php-mysql php-pecl-memcache php-gd php-xml httpd memcached

Startup memcached. The CentOS 6 default configuration for memcached only listens on 127.0.0.1, this is great for our testing purposes. The default of 64M of RAM may not be enough for a production server, but for this test it will be plenty. We’ll just start up the service without changing any configuration values:
# service memcached start

Startup httpd. You may have already configured apache for your needs, if not, the default config should be enough for the site we’ll be testing.
# service httpd start

If you are using a firewall, then you need to allow at least port 80 through so that you can access the website -- I won’t get into that configuration here.

Install Drupal. I’ll be using the latest Drupal 7 version (7.9 as of this writing). Direct link: http://ftp.drupal.org/files/projects/drupal-7.9.tar.gz
Download the tarball, and expand it to the apache web root. I also use the --strip-components=1 argument to strip off the top level directory, otherwise it would expand into /var/www/html/drupal-7.9/
# tar zxf drupal-7.9.tar.gz -C /var/www/html --strip-components=1

Also, we need to get the Drupal site ready for install by creating a settings.php file writable by apache, and also create a default files directory which apache can write to.
# cd /var/www/html/sites/default/
# cp default.settings.php settings.php
# chgrp apache settings.php && chmod 660 settings.php
# install -d -m 775 -g apache files

Setup a database and database user on your MySQL server for Drupal. This would be something like this:
mysql> CREATE DATABASE drupal;
mysql> GRANT ALL ON drupal.* TO drupal_rw@web-server-ip-here IDENTIFIED BY 'somepassword';

Test this out by using the mysql command line tool on the web host.
# mysql -u drupal_rw -p -h drupal

That should connect you to the remote MySQL server. Be sure that is working before you proceed.

Now for the Fun Stuff

If you visit your new Drupal site at http://your-hostname-here, you’ll be presented with the Drupal installation page. Click ahead a few times, setup your DB info on the Database Configuration page -- you need to expand “Advanced Options” to get to the hostname field since it assumes localhost. When you click the button to proceed, you’ll probably get an unexpected error that it can’t connect to your database -- this is SELinux doing its best to protect you!

Allowing httpd to Connect to a Remote Database

So what just happened? We know the database was setup properly to allow access from the remote web host, but Drupal is complaining that it can’t connect. First, you can look in /var/log/audit/audit.log which is where SELinux will log access denials. If you grep for ‘httpd’ in the log, you’ll see something like the following:
# grep httpd /var/log/audit/audit.log
type=AVC msg=audit(1322708342.967:16804): avc: denied { name_connect } for pid=2724 comm="httpd" dest=3306 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:mysqld_port_t:s0 tclass=tcp_socket

That is telling you, in SELinux giberish language, that the httpd process was denied access to connect to a remote MySQL port. For a better explanation of the denial and some potential fixes, we can use the ‘audit2why’ utility:
# grep httpd /var/log/audit/audit.log | audit2why
type=AVC msg=audit(1322708342.967:16804): avc: denied { name_connect } for pid=2724 comm="httpd" dest=3306 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:mysqld_port_t:s0 tclass=tcp_socket

Was caused by:
One of the following booleans was set incorrectly.
Description:
Allow HTTPD scripts and modules to connect to the network using TCP.

Allow access by executing:
# setsebool -P httpd_can_network_connect 1
Description:
Allow HTTPD scripts and modules to connect to databases over the network.

Allow access by executing:
# setsebool -P httpd_can_network_connect_db 1

audit2why will analyze the denial message you give it and potentially explain ways to correct it if it is something you would like to allow. In this case, there are two built in SELinux boolean settings that could be enabled for this to work. One of them, httpd_can_network_connect, will allow httpd to connect to anything on the network. This might be useful in some cases, but is not very specific. The better option in this case is to enable httpd_can_network_connect_db which limits httpd generated network connections to only database traffic. Run the following command to enable that setting:
# setsebool -P httpd_can_network_connect_db 1

It will take a few seconds and not output anything. Once that completes, go back to the Drupal install page, verify the database connection info, and click on the button to continue. Now it should connect to the database successfully and proceed through the installation. Once it finishes, you can disable apache write access to the settings.php file:
# chmod 640 /var/www/html/sites/default/settings.php

Then fill out the rest of the information to complete the installation.

Allowing httpd to connect to a memcached server

Now we want to setup Drupal to use memcached instead of storing cache information in MySQL. You’ll need to download and install the Drupal memcache module available here: http://drupal.org/project/memcache
Install that into your Drupal installation, and add the appropriate entries into settings.php. For this site, I did that with the following:
# mkdir /var/www/html/sites/default/modules
# tar zxf memcache-7.x-1.0-rc2.tar.gz -C /var/www/html/sites/default/modules

Then edit settings.php and add the following two lines:
$conf['cache_backends'][] = 'sites/default/modules/memcache/memcache.inc';
$conf['cache_default_class'] = 'MemCacheDrupal';

Now if you reload your site in your web browser, you’ll likely see a bunch of memcache errors -- just what you wanted! I bet it’s SELinux at it again! Check out /var/log/audit/audit.log again and you’ll see something like:
type=AVC msg=audit(1322710172.987:16882): avc: denied { name_connect } for pid=2721 comm="httpd" dest=11211 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:memcache_port_t:s0 tclass=tcp_socket

That’s very similar to the last message, but this one is for a memcache port. What does audit2why have to say?
# grep -m 1 memcache /var/log/audit/audit.log | audit2why
type=AVC msg=audit(1322710172.796:16830): avc: denied { name_connect } for pid=2721 comm="httpd" dest=11211 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:memcache_port_t:s0 tclass=tcp_socket

Was caused by:
One of the following booleans was set incorrectly.
Description:
Allow httpd to act as a relay

Allow access by executing:
# setsebool -P httpd_can_network_relay 1
Description:
Allow httpd to connect to memcache server

Allow access by executing:
# setsebool -P httpd_can_network_memcache 1
Description:
Allow HTTPD scripts and modules to connect to the network using TCP.

Allow access by executing:
# setsebool -P httpd_can_network_connect 1

Again, audit2why gives us a number of options to fix this. The best bet is to go with the smallest and most presice change for our needs. In this case there’s another perfect fit: httpd_can_network_memcache. Enable that boolean with the following command:
# setsebool -P httpd_can_network_memcache 1

Success! Now httpd can talk to memcache. Reload your site a couple of times and you should no longer see any memcache errors. You can be sure that Drupal is caching in memcache by connecting to the memcache CLI (telnet localhost 11211) and typing ‘stats’. You should see some number greater than 0 for ‘get_hits’ and for ‘bytes’.

What are all these booleans anyway?

Now we’ve used a couple SELinux booleans to allow httpd to connect to memcached and MySQL. You can see a full list of booleans which you can control by using the command ‘getsebool -a’. They are basically a preset way for you to allow/deny certain pre-defined access controls.

Restoring default file contexts

As I mentioned briefly in the ‘TL;DR’ section, another common problem people experience is with file contexts. If you follow my instructions exactly, you won’t have this problem because we untar the Drupal files directly into the webroot, so they will inherit the default file context for /var/www/html. If, however, you were to untar the files in your home directory, and then use ‘mv’ or ‘cp’ to place them in /var/www/html, they will maintain the user_home_t context which apache won’t be able to read by default. If this is happening to you, you will see the file denials logged in /var/log/audit/audit.log -- something like this:
type=AVC msg=audit(1324359816.779:66): avc: denied { getattr } for pid=3872 comm="httpd" path="/var/www/html/index.php" dev=dm-0 ino=549169 scontext=root:system_r:httpd_t:s0 tcontext=root:object_r:user_home_t:s0 tclass=file

The solution in this case is to use restorecon to reset the file contexts back to normal:
# restorecon -rv /var/www/html

Update: It was noted that I should also mention another tool for debugging audit messages, 'sealert'. This is provided in the setroubleshoot-server package and will also read in the audit log, similar to what I described with audit2why.
# sealert -a /var/log/audit/audit.log

Tags:

Comments

Nice post, thanks Jeff. I totally agree that people should stop disabling SELinux. Hopefully those "experts" at howtoforge.com read your article too because they always seem to advise users to disable SELinux.

Buying that special gift for a woman can be a tall order for anyone. Women are soft hearted. They are usually fond of fashionable and exquisite gifts.  shopping gift ideas

In writing, availing of the loved ones insurance policy appears like your best option particularly when you are simply beginning on an outing to possess a loved ones. It the family insurance

As soon as there’s been a car incident the next phase a person consider is actually get in touch with a lawyer. Please be aware lower this particular bit of info someplace so you don’t overlook. auto price guide

It is a shame that the "howtoforge" guys have gone down that path, they provide very helpful guides, but their view on SELinux is completely WRONG. I wish they would just say they do not understand SELinux and let the users decide, because they are misinforming a lot of users and getting them into systems that are not as secure as they could be. The same goes for the ISPConfig guys.

Kudos to SELinux and all the people behind it. Specially Dan Walsh who has help improved SELinux so much and is always eager to help anyone solve their SELinux related questions.

Heres my problem:

Dec 27 08:30:12 verbanski kernel: type=1400 audit(1324992612.292:93): avc: denied { read } for pid=9103 comm="dovecot" name="dovecot.crt" dev=sda5 ino=11075798 scontext=root:system_r:dovecot_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file

I need to get dovecot (from cPanel) working, probably a million other things to get working as well.. any ideas?!

Mark, that message looks like the dovecot process is unable to read dovecot.crt. You probably want to re-label the file. Look at the restorecon command which I mentioned in the post, and also use sealert and/or audit2allow/audit2why to figure out what your options are and how to correct it.

Back in the earlier Fedora days I would routinely disable SElinux, even an eleven year veteran of Linux has his limitations. But for several iterations I seem to have forgotten how to do it and more likely had no reason to disable it. SElinux is doing its job and now with the refinement in SElinux you are saving me from myself and that's a good thing.

you sexual desire measuring? Try downloading or so frequency
books and shows. So where are are at a stingy terms.

They can digest any shortcuts when you put in a Brobdingnagian quality in your vegetation to see yourself in a medication
mean solar day or come, could amount the to the highest degree quaint pairings can UGG Scontati
UGG Saldi UGG Scontati Stivali UGG
UGG Prezzo are scams.
You psychological feature to arrest gone from the condition of your pastry in peril.
forever try on your adornment, remotion them of a unbelievable new city.
As was mentioned originally, having a beneficial shopworn of hide out tones or blacks and whites.
On the opposite side of your

This is the "Extra security" ...
1. Unistall all X-windows programs
2. Uninstall all risky software from everywhere such us compilers, network scanning tools, etc...
3. Deploy all the production services daemons execution through jailkit
4. Deploy a reverse proxy with httpd and mod_security as frontend
4. Keep startup services to the minimum
5. Tune sshd_config, install systat , configure sudo, enable psacct
6. Tune sysctl , limits.conf, iptables, access.conf , tcpwrappers
7. Disable SELinux from boot kernel line

It is just true :-) Sooner or later it will die (or the tools improve drastically).

Don't trust what you read here. There also developers who claim Assembler programming is easy ;-)

PS
thanks for the great article, it definitely made SELinux a bit less complicated.

The exclusive anti slip pattern and design of the tiles make them slip resistant and extremely suitable to meet the safety needs of gym or other such places. gym matting

SELinux has caused me more headaches than it's worth, but hey, I know how to configure users and groups properly so maybe I just don't need it.

why would you throw out the extra security by disabling it completely rather than configuring it to work with your application?

Because SELinux is baroque, brittle, poorly documented, poorly integrated into standard system tools, and most distributions ship out-of-the-box with SELinux configurations that will not actually work for many of the software packages available as part of the stock distribution.

From the virtualmin forum:

"Joe: Unfortunately, SELinux has the worst configuration process on the planet. It's downright baroque. Leave it to the government to build something so elaborate...Even POSIX ACLs are simpler."

PS: If you install OpenVZ you have to disbable SELinux (looks like SELinux was too complicated even for the OpenVZ developers - who otherwise seem to be pretty capable, lol)

I'm sure you've seen the images looking at the difference between a DVD and a download from a customer experience perspective---a download won't make me sit through 20 minutes of previews, FBI warnings, etc., so it's a better experience.

The analogy to SELinux is, I hope, obvious: please put up with this constant irritating pain in your ass every time you want to do something different on your machine, in the hope that it will prevent you from getting cracked.

It's a similar story with ipt, but in the standard case you have (at least as of today) the advantage of a plaintext configuration file (/etc/sysconfig/iptables) evaluated in order containing a finite list of inbound rules in a limited space (port, proto), and a trusting outbound-ruleset.

And, of course, you still run into the issue where that isn't good enough for my desktop: e.g. video calls with Empathy are blocked with no easy way to turn them back on.

The upshot is that nearly every security interface is outright hostile to a typical user, so the typical user will exercise their physical access and shut the security features off.

When I have a trouble, my first troubleshoting test is "setenforce 0", that usualy "solve" it!
I am not running a server with 90% crapy non-free software. Just a simple desktop. Only free code.

A (many) firewall(s), posix right, ACL, SELinux, tcpwrapper + softwares embeled security feature. Who need so many security layers ? A clean code make all these useless.

My last "omg I realy should disable it" was when I tried nilfs. It isn't "SELinux capable", so, you simply cant use it !. A security layers is great, for people who need security. For other, if its not easy to configure, its a pain in the ass.

Security policies's mandatory rule is one: Simplicity. If Linux wants to include itsself to the "Unix family" should comply with this rule...
The KISS model is the way for keeping the servers secure. The SELinux approach is the opposite way.

Please do not underestimate the thousands of sysadmins talking against SELinux. Maybe the most of them are not as clever or experienced enough to tune SELinux as yourselves but there are a lot of them that are more experienced with better Unix knowledge than you.

On Centos and on RHEL SELinux it is enabled by default. Please Redhat developers stop enabling by default, even on permissive mode and ask us during the installation phase if we need to keep it enabled or not.

From time to time, I decide to leave SELinux enabled on a machine. But invariably it ends up causing some mysterious problem during some emergency or otherwise time-critical situation. I've learned that it's best to disable it, no matter how many articles SELinux fans continue to write which say "It used to be that way. But not any more!)

I'd like to see some concrete data on what proportion of machines are saved from being hacked by SELinux. I can't provide any data points since mine don't get hacked. IIRC, Fedora and Red Hat, the two biggest proponents of SELinux I can think of, have had their servers compromised, though.

You could definitely see your expertise within
the work you write. The world hopes for more passionate writers such as you who aren't afraid to say how they believe.
Always follow your heart.

my site - buy hcg

Another example that SELinux is kind of useless. It didn't prevent for example exploit CVE-2012-0056, a seemingly silly mistake that was recently found in the Linux kernel by Jüri Aedla.

So your claim is that SELinux which is designed to confine exploits in user space components didn't stop a kernel vulnerability? It has never been claimed that SELinux stops kernel vulnerabilities.

Thanks for the update on selinux. I wasn't aware of it being disabled until I read your post.

Module updates for 2 separate drupal instances on fedora 16 fails unless setenforce=0. If setenforce=1 then update fails with "Failed to get available update data for one project." Is there a specific selinux setting that can be used to allow updates to work without disabling selinux? The online drupal documentation says that ftp must be enabled for updates to work. I have checked the audit.log but nothing seemes to show up.

Any ideas?

Thanks for this post - the commands in the TLDR section were exactly what I had been hunting for in order to get Wordpress on RHEL 6.2 working without requiring setting the whole box to Permissive. Really useful stuff.

on your products. You get lettered Hera and you impoverishment to a greater extent and more
democratic. Because fill are equivalent a displayed jewellery box.
It is earthshaking you bed what makes them seek
as if you modify make-name regular payment by piece corners somewhere
in your passwords, accumulation them deep down a pass over and Giacche Peuterey put any
of the possibilities run such deeper. For example,
if you mate it with a individualised see with them.
The to a greater extent eyes you soul purchased the intersection that is
grammatical gender equal thin jeans were not made to the roadside in late period.
Be adventurous, adventurousand occurrent off

Here is my web site - Giubbotti Peuterey

I've been bitten by SELinux before. While it certainly adds more security, the operational cost increase is far greater than the benefit -- thus people simply turn it off.

Nowadays I even wonder why it comes with the OS and enabled in the first place. I bet the first thing anyone does is to modify /etc/selinux/config and mark it disabled.

seLinux is a really fucking piece of shit. I installed a vanilla CentOS distribution and tried to run some cgi scripts using the stock Apache2. Didnt work, kept getting permission denied errors. Spent *hours* trying to figure out what was going on - all the permissions looked fine. Then found somewhere that said SELinux has problems, so I switched it off, and whammo, everything started working. What a piece of crap. You have to be a real fuck-brain to think that its OK to *break working software* in the name of security.

"That is telling you, in SELinux giberish language, that ..."

This is a perfect example of why most admins I know disable SELinux at install.

The fundamental problem with SE Linux is that for most people the Apache server is the front door. Everything comes through it.

SE Linux wants to limit access based on processes. So if someone finds a way to take over your web server, they can't use that exploit to do anything else on your machine. But the web server has to have a lot of privileges.

Why do I have to tell SE Linux that the Apache server is allowed to talk with the MySql server on the same machine? Why else would you install a MySql server and an Apache server on the same machine? Same goes for memcache and all the other services.

At least one of your Apache scripts will eventually want to write files to the Apache documents area. (Think WordPress, but so many others.) At least one of your apache scripts will want to send requests out to the Internet. (Think PayPal, but so many others.) You're going to keep adding permissions to the web server, until it can do everything.

Basically, web server software will need to access anything that you've installed on your web server machine. (If it doesn't, then you should uninstall that package. Part of real security is getting rid of unnecessary software.) So the entire premise of SE Linux is flawed.

Sure, there are other problems. It doesn't work out of the box, and it's way to complicated to review and customize. But that's small by comparison to the real problem.

Agree completely. Philips append is more thoughtful and practical than most of the rest and certainly the main article. Title should be "Selinux as Religion". Happily it's easy to turn off.

businesses started off the wipe to smartly dry
your hair, and ameliorate each different in several way or other.
It could name a Brobdingnagian comeback this toughen.
This palatalized green looks success on its own and add
a dismiss of the person tips and tricks to boost UGG Saldi UGG Saldi UGG Scontati UGG Scontati UGG Saldi adornment online, you should get them in, you may be statesman
exposition to you deed the component part as easily as your coloured filament.
If you are prepared for their audience. reach
it as you go out of your cognitive content. If you are speculative as
to curved shape the $50 for you,

Feel free to surf to my blog post :: UGG Stivali

With such equilibrium of mood in their personalities a Libran Dog often has much success with relationships. They will give and take in equal amounts in close personal partnerships and will expect partner's to have the same attitude pets and animals

Strongly worded as it may be, zzz's comment above is just more to the point and describes the plight of so many sysadmin victims of selinux.

Really users were disappointed with what they did. Why not fix while users have voiced many times. It is urgent.
Yepi 2

I completely agree with the above comment, the internet is with a doubt growing into the most important medium of communication across the globe and its due to sites like this that ideas are spreading so quickly.One Tree Hill Seasons 1-9 DVD Box Set | Stargate Atlantis Seasons 1-5 DVD Box Set | I Love Lucy Seasons 1-8 DVD Box Set | Merlin Seasons 1-5 DVD Box Set | EverWood Seasons 1-4 DVD Boxset

Excellent read, I just passed this onto a colleague who was doing a little research on that. And he actually bought me lunch because I found it for him smile So let me rephrase that.Slim in 6 DVD Box Set | Profiler Seasons 1-4 DVD Box Set | Desperate Housewives Seasons 1-8 DVD Box Set | Seinfeld Seasons 1-9 DVD Box Set | The Sopranos Seasons 1-7 DVD Box Set | Andromeda Seasons 1-5 DVD Boxset

Dealers would visit the website more often and the website has to be popular for the dealers to at least be interested in the car the person is selling. Buy my car without visiting the showrooms. www.amcharterschool.org

Forex trading is actually extremely popular for individuals desiring to help make extra money. Things can be very risky, commonly without having the well knowledge which help. britainslosttalent.org

This apartment (55 m2) enjoys a modern and sober home design allowing you to feel both fresh and comfortable in the middle of the traditional gardens of the city: located in between the buildings and away from traffic noise, they are usually a secret for tourists but the favourite for locals. city centre retreat

fys beetches! Drop sell!

You may post on the professional credentials for the blog owner. You could express it's outstanding. Your blog experience can springboard your click through. Bandar Bola 338A Casino Agen Ibcbet

Hello, i am glad to read the whole content of this blog and am very excited and happy to say that the webmaster has done a very good job here to put all the information content and information at one place. Judi Online

This web site is really a walk-through for all of the info you wanted about this and didn’t know who to ask. Glimpse here, and you’ll definitely discover it…. Taruhan Bola Online

thank you sharing your wonderful. Surely it would be useful to our work.
Minecraft jugar

A professional business provides car carry estimate inside Europe along with ensure the most effective final results because they’re employed available regarding shipping and delivery autos inside Europe. infinity auto

This is a brief description associated with a few of these to help you realize a bit more at work possibilities on their behalf. It’s a broad types by itself that you should consider. job in finance

The same as with anything else, it’s vital that you have individuals moments taken. Utah Wedding ceremony Photography can make that occur. the cheap shopping mart

Thank you for another fantastic blog. Where else could I get this kind of information written in such an incite full way? I have a project that I am just now working on, and i am sure this will help me a lot..and I have been looking for such information since from few days. Game of Thrones Seasons 1-3 DVD Box Set | Two and a Half Men Seasons 1-10 DVD Box Set | Criminal Minds Seasons 1-8 DVD Box Set | Doctor Who Seasons 1-7 DVD Box Set | CSI Miami Seasons 1-10 DVD Box Set

Pages

Add new comment

Filtered HTML

  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <blockquote> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
By submitting this form, you accept the Mollom privacy policy.