Red Hat Summit第4章 Configuring SELinux for applications and services with non-standard configurations
When SELinux is in enforcing mode, the default policy is the targeted policy. The following sections provide information about setting up and configuring the SELinux policy for various services after you change configuration defaults, such as ports, database locations, or file-system permissions for processes.
You learn to change SELinux types for non-standard ports, to identify and fix incorrect labels for changes of default directories, and to adjust the policy using SELinux booleans.
4.1. Customizing the SELinux policy for the Apache HTTP server in a non-standard configuration
You can configure the Apache HTTP server to listen on a different port and to provide content in a non-default directory. To prevent consequent SELinux denials, follow the steps in this procedure to adjust your system’s SELinux policy.
Prerequisites
-
The
httpdpackage is installed and the Apache HTTP server is configured to listen on TCP port 3131 and to use the/var/test_www/directory instead of the default/var/www/directory. -
The
policycoreutils-python-utilsandsetroubleshoot-serverpackages are installed on your system.
Procedure
Start the
httpdservice and check the status:# systemctl start httpd # systemctl status httpd … httpd[14523]: (13)Permission denied: AH00072: make_sock: could not bind to address [::]:3131 … systemd[1]: Failed to start The Apache HTTP Server. …The SELinux policy assumes that
httpdruns on port 80:# semanage port -l | grep http http_cache_port_t tcp 8080, 8118, 8123, 10001-10010 http_cache_port_t udp 3130 http_port_t tcp 80, 81, 443, 488, 8008, 8009, 8443, 9000 pegasus_http_port_t tcp 5988 pegasus_https_port_t tcp 5989Change the SELinux type of port 3131 to match port 80:
# semanage port -a -t http_port_t -p tcp 3131Start
httpdagain:# systemctl start httpdHowever, the content remains inaccessible:
# wget localhost:3131/index.html … HTTP request sent, awaiting response... 403 Forbidden …Find the reason with the
sealerttool:# sealert -l "*" … SELinux is preventing httpd from getattr access on the file /var/test_www/html/index.html. …Compare SELinux types for the standard and the new path using the
matchpathcontool:# matchpathcon /var/www/html /var/test_www/html /var/www/html system_u:object_r:httpd_sys_content_t:s0 /var/test_www/html system_u:object_r:var_t:s0Change the SELinux type of the new
/var/test_www/html/content directory to the type of the default/var/www/htmldirectory:# semanage fcontext -a -e /var/www /var/test_wwwRelabel the
/vardirectory recursively:# restorecon -Rv /var/ ... Relabeled /var/test_www/html from unconfined_u:object_r:var_t:s0 to unconfined_u:object_r:httpd_sys_content_t:s0 Relabeled /var/test_www/html/index.html from unconfined_u:object_r:var_t:s0 to unconfined_u:object_r:httpd_sys_content_t:s0
Verification
Check that the
httpdservice is running:# systemctl status httpd … Active: active (running) … systemd[1]: Started The Apache HTTP Server. httpd[14888]: Server configured, listening on: port 3131 ...Verify that the content provided by the Apache HTTP server is accessible:
# wget localhost:3131/index.html … HTTP request sent, awaiting response... 200 OK Length: 0 [text/html] Saving to: ‘index.html' …
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}