Chapter 4. Configuring SELinux for applications and services with non-standard configurations
When SELinux is in enforcing mode, the default policy is the targeted policy. The following sections provide information about setting up and configuring the SELinux policy for various services after you change configuration defaults, such as ports, database locations, or file-system permissions for processes.
You learn to change SELinux types for non-standard ports, to identify and fix incorrect labels for changes of default directories, and to adjust the policy using SELinux booleans.
4.1. Customizing the SELinux policy for the Apache HTTP server in a non-standard configuration
You can configure the Apache HTTP server to listen on a different port and to provide content in a non-default directory. To prevent consequent SELinux denials, follow the steps in this procedure to adjust your system’s SELinux policy.
Prerequisites
-
The
httpd
package is installed and the Apache HTTP server is configured to listen on TCP port 3131 and to use the/var/test_www/
directory instead of the default/var/www/
directory. -
The
policycoreutils-python-utils
andsetroubleshoot-server
packages are installed on your system.
Procedure
Start the
httpd
service and check the status:# systemctl start httpd # systemctl status httpd … httpd[14523]: (13)Permission denied: AH00072: make_sock: could not bind to address [::]:3131 … systemd[1]: Failed to start The Apache HTTP Server. …
The SELinux policy assumes that
httpd
runs on port 80:# semanage port -l | grep http http_cache_port_t tcp 8080, 8118, 8123, 10001-10010 http_cache_port_t udp 3130 http_port_t tcp 80, 81, 443, 488, 8008, 8009, 8443, 9000 pegasus_http_port_t tcp 5988 pegasus_https_port_t tcp 5989
Change the SELinux type of port 3131 to match port 80:
# semanage port -a -t http_port_t -p tcp 3131
Start
httpd
again:# systemctl start httpd
However, the content remains inaccessible:
# wget localhost:3131/index.html … HTTP request sent, awaiting response... 403 Forbidden …
Find the reason with the
sealert
tool:# sealert -l "*" … SELinux is preventing httpd from getattr access on the file /var/test_www/html/index.html. …
Compare SELinux types for the standard and the new path using the
matchpathcon
tool:# matchpathcon /var/www/html /var/test_www/html /var/www/html system_u:object_r:httpd_sys_content_t:s0 /var/test_www/html system_u:object_r:var_t:s0
Change the SELinux type of the new
/var/test_www/html/
content directory to the type of the default/var/www/html
directory:# semanage fcontext -a -e /var/www /var/test_www
Relabel the
/var
directory recursively:# restorecon -Rv /var/ ... Relabeled /var/test_www/html from unconfined_u:object_r:var_t:s0 to unconfined_u:object_r:httpd_sys_content_t:s0 Relabeled /var/test_www/html/index.html from unconfined_u:object_r:var_t:s0 to unconfined_u:object_r:httpd_sys_content_t:s0
Verification
Check that the
httpd
service is running:# systemctl status httpd … Active: active (running) … systemd[1]: Started The Apache HTTP Server. httpd[14888]: Server configured, listening on: port 3131 ...
Verify that the content provided by the Apache HTTP server is accessible:
# wget localhost:3131/index.html … HTTP request sent, awaiting response... 200 OK Length: 0 [text/html] Saving to: ‘index.html' …
Additional resources
-
semanage(8)
,matchpathcon(8)
, andsealert(8)
man pages on your system
4.2. Adjusting the policy for sharing NFS and CIFS volumes by using SELinux booleans
You can change parts of SELinux policy at runtime using booleans, even without any knowledge of SELinux policy writing. This enables changes, such as allowing services access to NFS volumes, without reloading or recompiling SELinux policy. The following procedure demonstrates listing SELinux booleans and configuring them to achieve the required changes in the policy.
NFS mounts on the client side are labeled with a default context defined by a policy for NFS volumes. In RHEL, this default context uses the nfs_t
type. Also, Samba shares mounted on the client side are labeled with a default context defined by the policy. This default context uses the cifs_t
type. You can enable or disable booleans to control which services are allowed to access the nfs_t
and cifs_t
types.
To allow the Apache HTTP server service (httpd
) to access and share NFS and CIFS volumes, perform the following steps:
Prerequisites
-
Optionally, install the
selinux-policy-devel
package to obtain clearer and more detailed descriptions of SELinux booleans in the output of thesemanage boolean -l
command.
Procedure
Identify SELinux booleans relevant for NFS, CIFS, and Apache:
# semanage boolean -l | grep 'nfs\|cifs' | grep httpd httpd_use_cifs (off , off) Allow httpd to access cifs file systems httpd_use_nfs (off , off) Allow httpd to access nfs file systems
List the current state of the booleans:
$ getsebool -a | grep 'nfs\|cifs' | grep httpd httpd_use_cifs --> off httpd_use_nfs --> off
Enable the identified booleans:
# setsebool httpd_use_nfs on # setsebool httpd_use_cifs on
NoteUse
setsebool
with the-P
option to make the changes persistent across restarts. Asetsebool -P
command requires a rebuild of the entire policy, and it might take some time depending on your configuration.
Verification
Check that the booleans are
on
:$ getsebool -a | grep 'nfs\|cifs' | grep httpd httpd_use_cifs --> on httpd_use_nfs --> on
Additional resources
-
semanage-boolean(8)
,sepolicy-booleans(8)
,getsebool(8)
,setsebool(8)
,booleans(5)
, andbooleans(8)
man pages on your system
4.3. Finding the correct SELinux type for managing access to non-standard directories
If you need to set access-control rules that the default SELinux policy does not cover, start by searching for a boolean that matches your use case. If you cannot find a suitable boolean, you can use a matching SELinux type or even create a local policy module.
Prerequisites
-
The
selinux-policy-doc
andsetools-console
packages are installed on your system.
Procedure
List all SELinux-related topics and limit the results to a component you want to configure. For example:
# man -k selinux | grep samba samba_net_selinux (8) - Security Enhanced Linux Policy for the samba_net processes samba_selinux (8) - Security Enhanced Linux Policy for the smbd processes …
In the man page that corresponds to your scenario, find the related SELinux booleans, port types, and file types.
Note that the
man -k selinux
orapropos selinux
commands are available only after you install theselinux-policy-doc
package.Optional: You can display the default mapping of processes on default locations by using the
semanage fcontext -l
command, for example:# semanage fcontext -l | grep samba … /var/cache/samba(/.*)? all files system_u:object_r:samba_var_t:s0 … /var/spool/samba(/.*)? all files system_u:object_r:samba_spool_t:s0 …
Use the
sesearch
command to display rules in the default SELinux policy. You can find the type and boolean to use by listing the corresponding rule, for example:$ sesearch -A | grep samba | grep httpd … allow httpd_t cifs_t:dir { getattr open search }; [ use_samba_home_dirs && httpd_enable_homedirs ]:True …
An SELinux boolean might be the most straightforward solution for your configuration problem. You can display all available booleans and their values by using the
getsebool -a
command, for example:$ getsebool -a | grep homedirs git_cgi_enable_homedirs --> off git_system_enable_homedirs --> off httpd_enable_homedirs --> off mock_enable_homedirs --> off mpd_enable_homedirs --> off openvpn_enable_homedirs --> on ssh_chroot_rw_homedirs --> off
You can verify that the selected boolean does exactly what you want by using the
sesearch
command, for example:$ sesearch -A | grep httpd_enable_homedirs … allow httpd_suexec_t autofs_t:dir { getattr open search }; [ use_nfs_home_dirs && httpd_enable_homedirs ]:True allow httpd_suexec_t autofs_t:dir { getattr open search }; [ use_samba_home_dirs && httpd_enable_homedirs ]:True …
If no boolean matches your scenario, find an SELinux type that suits your case. You can find a type for your files by querying a corresponding rule from the default policy by using
sesearch
, for example:$ sesearch -A -s httpd_t -c file -p read … allow httpd_t httpd_t:file { append getattr ioctl lock open read write }; allow httpd_t httpd_tmp_t:file { append create getattr ioctl link lock map open read rename setattr unlink write }; …
- If none of the previous solutions cover your scenario, you can add a custom rule to the SELinux policy. See the Creating a local SELinux policy module section for more information.
Additional resources
-
SELinux-related man pages provided by the
man -k selinux
command after you install theselinux-policy-doc
package -
sesearch(1)
,semanage-fcontext(8)
,semanage-boolean(8)
, andgetsebool(8)
man pages on your system