8.2. Top Three Causes of Problems
The following sections describe the top three causes of problems: labeling problems, configuring Booleans and ports for services, and evolving SELinux rules.
8.2.1. Labeling Problems
On systems running SELinux, all processes and files are labeled with a label that contains security-relevant information. This information is called the SELinux context. If these labels are wrong, access may be denied. If an application is labeled incorrectly, the process it transitions to may not have the correct label, possibly causing SELinux to deny access, and the process being able to create mislabeled files.
A common cause of labeling problems is when a non-standard directory is used for a service. For example, instead of using
/var/www/html/
for a website, an administrator wants to use /srv/myweb/
. On Red Hat Enterprise Linux 6, the /srv/
directory is labeled with the var_t
type. Files and directories created and /srv/
inherit this type. Also, newly-created top-level directories (such as /myserver/
) may be labeled with the default_t
type. SELinux prevents the Apache HTTP Server (httpd
) from accessing both of these types. To allow access, SELinux must know that the files in /srv/myweb/
are to be accessible to httpd
:
~]# semanage fcontext -a -t httpd_sys_content_t "/srv/myweb(/.*)?"
This
semanage
command adds the context for the /srv/myweb/
directory (and all files and directories under it) to the SELinux file-context configuration[11]. The semanage
command does not change the context. As the Linux root user, run the restorecon
command to apply the changes:
~]# restorecon -R -v /srv/myweb
Refer to Section 5.6.2, “Persistent Changes: semanage fcontext” for further information about adding contexts to the file-context configuration.
8.2.1.1. What is the Correct Context?
The
matchpathcon
command checks the context of a file path and compares it to the default label for that path. The following example demonstrates using matchpathcon
on a directory that contains incorrectly labeled files:
~]$ matchpathcon -V /var/www/html/*
/var/www/html/index.html has context unconfined_u:object_r:user_home_t:s0, should be system_u:object_r:httpd_sys_content_t:s0
/var/www/html/page1.html has context unconfined_u:object_r:user_home_t:s0, should be system_u:object_r:httpd_sys_content_t:s0
In this example, the
index.html
and page1.html
files are labeled with the user_home_t
type. This type is used for files in user home directories. Using the mv
command to move files from your home directory may result in files being labeled with the user_home_t
type. This type should not exist outside of home directories. Use the restorecon
command to restore such files to their correct type:
~]# restorecon -v /var/www/html/index.html
restorecon reset /var/www/html/index.html context unconfined_u:object_r:user_home_t:s0->system_u:object_r:httpd_sys_content_t:s0
To restore the context for all files under a directory, use the
-R
option:
~]# restorecon -R -v /var/www/html/
restorecon reset /var/www/html/page1.html context unconfined_u:object_r:samba_share_t:s0->system_u:object_r:httpd_sys_content_t:s0
restorecon reset /var/www/html/index.html context unconfined_u:object_r:samba_share_t:s0->system_u:object_r:httpd_sys_content_t:s0
Refer to Section 5.9.3, “Checking the Default SELinux Context” for a more detailed example of
matchpathcon
.
[11]
Files in
/etc/selinux/targeted/contexts/files/
define contexts for files and directories. Files in this directory are read by the restorecon
and setfiles
commands to restore files and directories to their default contexts.