By default SeLinux is enabled and it will mark some labeling on each and every file and ports on OS based on Service.
SeLinux work on following parameters:
1) Context
2) Boolean
1) Context, we can say label. Commands chcon and semanage
2) Boolean, SeLinux having properties for each service like need to enable read or write access to directory, enable http with ftp or not etc.. Commands semanage, getseboolean, setseboolean
In our case we are going to setup SeLinux to work with Apache
As per SeLinux, services can work on only assigned specific ports like
semanage port -l|grep -i mysql
mysqld_port_t tcp 1186, 3306, 63132-63164
semanage port -l|grep -i http_port_t
http_port_t tcp 80, 81, 443, 488, 8008, 8009, 8443, 9000
So, port given in above output, by default allowed for mysql and apache services
Lets, take an example and change following line in /etc/httpd/conf/httpd.conf
Listen *:2222
Save and restart httpd service
While httpd restart, this will show following:
service httpd restart
Stopping httpd: [FAILED]
Starting httpd: httpd: Could not reliably determine the server's fully qualified domain name, using 192.168.56.103 for ServerName
(13)Permission denied: make_sock: could not bind to address [::]:2222
(13)Permission denied: make_sock: could not bind to address 0.0.0.0:2222
no listening sockets available, shutting down
Unable to open logs
[FAILED]
It's showing Permission denied: make_sock, that means SeLinux not allowing to create sock on 2222 port
As we want run Apache / httpd on 2222 port, execute following command to enable 2222 port for httpd service
semanage port -a -t http_port_t -p tcp 2222
semanage port -l|grep -i http_port_t
http_port_t tcp 2222, 80, 81, 443, 488, 8008, 8009, 8443, 9000
Now 2222 port has been assigned to http_port i.e.; http/apache service
Start http/apache service, you should not get any error this time
service httpd start
Starting httpd: httpd: Could not reliably determine the server's fully qualified domain name, using 192.168.56.103 for ServerName
[ OK ]
netstat -antp|grep http
tcp 0 0 :::2222 :::* LISTEN 1403/httpd
File/Folder Labeling
SeLinux keep labeling on each and every file which is as per service
ls -ldZ /var/www/
drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 /var/www/
ls -ldZ /var/www/html/
drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 /var/www/html/
ls -ldZ /etc/httpd/
drwxr-xr-x. root root system_u:object_r:httpd_config_t:s0 /etc/httpd/
ls -ldZ /etc/httpd/conf
drwxr-xr-x. root root system_u:object_r:httpd_config_t:s0 /etc/httpd/conf
ls -lZ /usr/sbin/httpd
-rwxr-xr-x. root root system_u:object_r:httpd_exec_t:s0 /usr/sbin/httpd
Here (starting with http means its Domain for only httpd service):
httpd_config_t # http configuration
httpd_sys_content_t # http system content
httpd_exec_t # http executable
So, each and every called by httpd/apache service should have proper label.
Lets try to run httpd with different DocumentRoot with im-proper labeling on files and folders
mkdir /data/www -p
ls -ldZ /data/
drwxr-xr-x. root root unconfined_u:object_r:default_t:s0 /data/
ls -ldZ /data/www/
drwxr-xr-x. root root unconfined_u:object_r:default_t:s0 /data/www/
cat > /data/www/index.html
this is test
ctrl+D
ls -lZ /data/www/index.html
-rw-r--r--. root root unconfined_u:object_r:default_t:s0 /data/www/index.html
Restart httpd service and access through your web browser http://server-IP:2222
You should get following error in web broweser:
and following in apache/httpd service error logs:
[Tue Oct 28 21:17:07 2014] [error] [client 192.168.56.1] (13)Permission denied: access to /index.html denied
How to recover from above error:
Change label of DocumentRoot i.e.; /data/www and its files
As this is going to be http content directory, we should change label to httpd_sys_content_t
chcon -t httpd_sys_content_t /data -R
for permanent changes
semanage fcontext -t httpd_sys_content_t /data
semanage fcontext -t httpd_sys_content_t /data/www
Now you should be able to access server pages without any error
Command to see running process context
ps auxZ # will provide process context too
getsebool
setsebool
Some of the http/apache boolean variables
getsebool -a|grep http
httpd_enable_cgi --> on
httpd_enable_homedirs --> off
httpd_unified --> on
httpd_use_cifs --> off
httpd_use_fusefs --> off
httpd_use_gpg --> off
httpd_use_nfs --> off
SeLinux work on following parameters:
1) Context
2) Boolean
1) Context, we can say label. Commands chcon and semanage
2) Boolean, SeLinux having properties for each service like need to enable read or write access to directory, enable http with ftp or not etc.. Commands semanage, getseboolean, setseboolean
In our case we are going to setup SeLinux to work with Apache
Context
Port SettingsAs per SeLinux, services can work on only assigned specific ports like
semanage port -l|grep -i mysql
mysqld_port_t tcp 1186, 3306, 63132-63164
semanage port -l|grep -i http_port_t
http_port_t tcp 80, 81, 443, 488, 8008, 8009, 8443, 9000
So, port given in above output, by default allowed for mysql and apache services
Lets, take an example and change following line in /etc/httpd/conf/httpd.conf
Listen *:2222
Save and restart httpd service
While httpd restart, this will show following:
service httpd restart
Stopping httpd: [FAILED]
Starting httpd: httpd: Could not reliably determine the server's fully qualified domain name, using 192.168.56.103 for ServerName
(13)Permission denied: make_sock: could not bind to address [::]:2222
(13)Permission denied: make_sock: could not bind to address 0.0.0.0:2222
no listening sockets available, shutting down
Unable to open logs
[FAILED]
It's showing Permission denied: make_sock, that means SeLinux not allowing to create sock on 2222 port
As we want run Apache / httpd on 2222 port, execute following command to enable 2222 port for httpd service
semanage port -a -t http_port_t -p tcp 2222
semanage port -l|grep -i http_port_t
http_port_t tcp 2222, 80, 81, 443, 488, 8008, 8009, 8443, 9000
Now 2222 port has been assigned to http_port i.e.; http/apache service
Start http/apache service, you should not get any error this time
service httpd start
Starting httpd: httpd: Could not reliably determine the server's fully qualified domain name, using 192.168.56.103 for ServerName
[ OK ]
netstat -antp|grep http
tcp 0 0 :::2222 :::* LISTEN 1403/httpd
File/Folder Labeling
SeLinux keep labeling on each and every file which is as per service
ls -ldZ /var/www/
drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 /var/www/
ls -ldZ /var/www/html/
drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 /var/www/html/
ls -ldZ /etc/httpd/
drwxr-xr-x. root root system_u:object_r:httpd_config_t:s0 /etc/httpd/
ls -ldZ /etc/httpd/conf
drwxr-xr-x. root root system_u:object_r:httpd_config_t:s0 /etc/httpd/conf
ls -lZ /usr/sbin/httpd
-rwxr-xr-x. root root system_u:object_r:httpd_exec_t:s0 /usr/sbin/httpd
Here (starting with http means its Domain for only httpd service):
httpd_config_t # http configuration
httpd_sys_content_t # http system content
httpd_exec_t # http executable
So, each and every called by httpd/apache service should have proper label.
Lets try to run httpd with different DocumentRoot with im-proper labeling on files and folders
mkdir /data/www -p
ls -ldZ /data/
drwxr-xr-x. root root unconfined_u:object_r:default_t:s0 /data/
ls -ldZ /data/www/
drwxr-xr-x. root root unconfined_u:object_r:default_t:s0 /data/www/
cat > /data/www/index.html
this is test
ctrl+D
ls -lZ /data/www/index.html
-rw-r--r--. root root unconfined_u:object_r:default_t:s0 /data/www/index.html
Restart httpd service and access through your web browser http://server-IP:2222
You should get following error in web broweser:
Forbidden
You don't have permission to access / on this server.and following in apache/httpd service error logs:
[Tue Oct 28 21:17:07 2014] [error] [client 192.168.56.1] (13)Permission denied: access to /index.html denied
How to recover from above error:
Change label of DocumentRoot i.e.; /data/www and its files
As this is going to be http content directory, we should change label to httpd_sys_content_t
chcon -t httpd_sys_content_t /data -R
for permanent changes
semanage fcontext -t httpd_sys_content_t /data
semanage fcontext -t httpd_sys_content_t /data/www
Now you should be able to access server pages without any error
Command to see running process context
ps auxZ # will provide process context too
Boolean
Commands to get or set Boolean variablesgetsebool
setsebool
Some of the http/apache boolean variables
getsebool -a|grep http
httpd_enable_cgi --> on
httpd_enable_homedirs --> off
httpd_unified --> on
httpd_use_cifs --> off
httpd_use_fusefs --> off
httpd_use_gpg --> off
httpd_use_nfs --> off
If you do not want to disable apache/http to serve cgi files
setsebool httpd_enable_cgi off
Enable user's home directory to be used for data/pages serving for apache/http
setsebool httpd_enable_homedirs on
Enable Apache/http to use CIFS/NFS directory to serve pages
setsebool httpd_use_cifs off
setsebool httpd_use_nfs off
Other commands to use
Disable SeLinux
setenforce 0
modify /etc/sysconfig/selinux file and set
SELINUX=disabled
Reboot machine
Command to restore context
restorecon -Rv /data
Create /.autorelabel for allow OS to relabel complete system at next boot time