https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security-enhanced_linux/chap-security-enhanced_linux-introduction#sect-Security-Enhanced_Linux-Introduction-Benefits_of_running_SELinux
Priceless wiki https://wiki.centos.org/HowTos/SELinux
#disable DAC (must be root), will only log rule violations
setenforce 0
#enable it
setenforce 1
#check
getenforce
#display info
sestatus
cat /etc/selinux/config
DAC and MAC (discretionary and mandatory access control). First DAC is applied, then MAC (if DAC succeeds).
#list user, role, type, level
ls -Z myfile
Access Vector Cache (AVC)
#view SELinux-Linux user mappings
semanage login -l
#view the SELinux context for processes
ps -eZ
#view SELinux context associated to your user
id -Z
#label a file with a type (transient)
chcon -t
#permanent relabeling of file
semanage
#restore default context for process
restorecon
In Apache, if you get this:
[Tue Feb 27 14:11:52.105495 2018] [core:error] [pid 41356] (13)Permission denied: [client 1.2.3.4:55713] AH00035: access to /index.html denied (filesystem path '/path/to/home') because search permissions are missing on a component of the path
try
ps -efZ | grep http
and check the httpd process, on which TYPE (httpd_t) it's running:
system_u:system_r:httpd_t:s0 root 37203 1 0 Feb28 ? 00:00:03 /usr/sbin/httpd -DFOREGROUND
system_u:system_r:httpd_t:s0 apache 37206 37203 0 Feb28 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND
then you have to change the type of your file to be served
ls -Z /path/to/index.html
-rw-r--r--. admrun admrun unconfined_u:object_r:default_t:s0 /path/to/index.html
then you do
chcon -t httpd_t /path/to/index.html
if you get
chcon: failed to change context of "/path/to/myfile" to "˜unconfined_u:object_r:httpd_t:s": Permission denied
it's because httpd_t is a PROCESS type, not a FILE type ( see http://danwalsh.livejournal.com/54803.html )
see here https://linux.die.net/man/8/httpd_selinux complete documentation of types
However it's better to change the context for the folder rather than for the individual files:
# semanage fcontext -a -t httpd_sys_content_t "/path/to(/.*)?"
# restorecon -R -v /path/to
see also "man semanage-fcontext" and https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security-enhanced_linux/sect-security-enhanced_linux-selinux_contexts_labeling_files-persistent_changes_semanage_fcontext
in Puppet (pueah) you can use https://github.com/voxpupuli/puppet-selinux and a clause like:
selinux::fcontext { '/path/to':
path => '/path/to(/.*)?',
setype => 'httpd_sys_content_t',
}
skip to main |
skip to sidebar
Anything about Java, WebLogic, OSB, Linux etc.... this is my logbook of a navigation in the IT Technology ocean.
Search This Blog
popular posts
911truth.org
cars?
SyntaxHighlighter
Blog Archive
-
▼
2018
(167)
-
▼
March
(17)
- Wildfly file upload and download with Primefaces
- Nexus 3 as a Docker GROUP around a proxy and 2 hos...
- Nexus repository administration automation
- h2 remote
- VirtualBox Centos7 high CPU for VBoxClient process
- Installing Docker Java and Wildfly on DigitalOcean...
- Maven/Eclipse Horror Show
- WinSCP plugin for Far Manager no longer supported
- Using Nexus 3 as a Docker registry Proxy
- Downgrade from Docker 18 to Docker 1.12
- Upgrade docker to version 18 on Centos
- Grafana
- Jenkins pipelines
- /var/run/docker.sock
- Jenkins console
- dind docker in docker , permission denied on /var/...
- SELinux
-
▼
March
(17)
No comments:
Post a Comment