Red Hat Summit Red Hat SummitSuporteConsoleDesenvolvedoresComeçar um testeContato

Este conteúdo não está disponível no idioma selecionado.

Chapter 4. Configuring SELinux for applications and services with non-standard configurations

Adjust the SELinux targeted policy when configuring applications to use non-standard ports or directories. This prevents SELinux denials and helps ensure services run correctly in enforcing mode.

When SELinux is in enforcing mode, the default policy is the targeted policy. You learn how to set up and configure the SELinux policy for various services after you change configuration defaults, such as ports, database locations, or file-system permissions for processes. Such changes require changing SELinux types for non-standard ports, identifying and fixing incorrect labels for changes to default directories, and adjusting the policy by using SELinux booleans.

Adjust the SELinux policy when configuring the Apache HTTP server to use non-standard ports or directories. This prevents access denials and helps ensure the web server operates securely in enforcing mode.

Prerequisites

  • The httpd package is installed and the Apache HTTP server is configured to listen on TCP port 3131 and to use the /var/test_www/ directory instead of the default /var/www/ directory.
  • The policycoreutils-python-utils and setroubleshoot-server packages are installed on your system.

Procedure

  1. Start the httpd service and check the status: 

    # systemctl start httpd
# systemctl status httpd
…
httpd[14523]: (13)Permission denied: AH00072: make_sock: could not bind to address [::]:3131
…
systemd[1]: Failed to start The Apache HTTP Server.
…

  2. The SELinux policy assumes that httpd runs on port 80: 

    # semanage port -l | grep http
http_cache_port_t              tcp      8080, 8118, 8123, 10001-10010
http_cache_port_t              udp      3130
http_port_t                    tcp      80, 81, 443, 488, 8008, 8009, 8443, 9000
pegasus_http_port_t            tcp      5988
pegasus_https_port_t           tcp      5989

  3. Change the SELinux type of port 3131 to match port 80: 

    # semanage port -a -t http_port_t -p tcp 3131

  4. Start httpd again: 

    # systemctl start httpd

  5. However, the content remains inaccessible: 

    # wget localhost:3131/index.html
…
HTTP request sent, awaiting response... 403 Forbidden
…

    Find the reason with the sealert tool: 

    # sealert -l "*"
…
SELinux is preventing httpd from getattr access on the file /var/test_www/html/index.html.
…

  6. Compare SELinux types for the standard and the new path using the matchpathcon tool: 

    # matchpathcon /var/www/html /var/test_www/html
/var/www/html       system_u:object_r:httpd_sys_content_t:s0
/var/test_www/html  system_u:object_r:var_t:s0

  7. Change the SELinux type of the new /var/test_www/html/ content directory to the type of the default /var/www/html directory: 

    # semanage fcontext -a -e /var/www /var/test_www

  8. Relabel the /var directory recursively: 

    # restorecon -Rv /var/
…
Relabeled /var/test_www/html from unconfined_u:object_r:var_t:s0 to unconfined_u:object_r:httpd_sys_content_t:s0
Relabeled /var/test_www/html/index.html from unconfined_u:object_r:var_t:s0 to unconfined_u:object_r:httpd_sys_content_t:s0

Verification

  1. Check that the httpd service is running: 

    # systemctl status httpd
…
Active: active (running)
…
systemd[1]: Started The Apache HTTP Server.
httpd[14888]: Server configured, listening on: port 3131
...

  2. Verify that the content provided by the Apache HTTP server is accessible: 

    # wget localhost:3131/index.html
…
HTTP request sent, awaiting response... 200 OK
Length: 0 [text/html]
Saving to: 'index.html'
…

4.2. Adjusting the policy for sharing NFS and CIFS volumes by using SELinux booleans
Copiar o link

Modify the SELinux policy at runtime by using booleans to allow services to access NFS and CIFS volumes. This feature enables quick policy adjustments without reloading or recompiling the entire policy.

With SELinux booleans, you can change parts of the policy at runtime, even without any knowledge of SELinux policy writing. This enables changes, such as allowing services access to NFS volumes, without reloading or recompiling SELinux policy.

The example procedure demonstrates listing SELinux booleans and configuring them to achieve the required changes in the policy.

NFS mounts on the client side are labeled with a default context defined by a policy for NFS volumes. In RHEL, this default context uses the nfs_t type. Also, Samba shares mounted on the client side are labeled with a default context defined by the policy. This default context uses the cifs_t type. You can enable or disable booleans to control which services are allowed to access the nfs_t and cifs_t types.

See the semanage-boolean(8), sepolicy-booleans(8), getsebool(8), setsebool(8), booleans(5), and booleans(8) man pages on your system for details about the commands used.

Prerequisites

  • Optionally, install the selinux-policy-devel package to obtain clearer and more detailed descriptions of SELinux booleans in the output of the semanage boolean -l command.

Procedure

  1. Identify SELinux booleans relevant for NFS, CIFS, and Apache: 

    # semanage boolean -l | grep 'nfs\|cifs' | grep httpd
httpd_use_cifs                 (off  ,  off)  Allow httpd to access cifs file systems
httpd_use_nfs                  (off  ,  off)  Allow httpd to access nfs file systems

  2. List the current state of the booleans: 

    $ getsebool -a | grep 'nfs\|cifs' | grep httpd
httpd_use_cifs --> off
httpd_use_nfs --> off

  3. Enable the identified booleans: 

    # setsebool httpd_use_nfs on
# setsebool httpd_use_cifs on
    Note

    Use setsebool with the -P option to make the changes persistent across restarts. A setsebool -P command requires a rebuild of the entire policy, and it might take some time depending on your configuration.

Verification

  1. Check that the booleans are on: 

    $ getsebool -a | grep 'nfs\|cifs' | grep httpd
httpd_use_cifs --> on
httpd_use_nfs --> on

Find the correct SELinux type to manage access to directories not covered by the default policy. This involves searching for appropriate booleans or matching types, or defining a local policy module if necessary.

If you need to set access-control rules that the default SELinux policy does not cover, start by searching for a boolean that matches your use case. If you cannot find a suitable boolean, you can use a matching SELinux type or even create a local policy module.

See the sesearch(1), semanage-fcontext(8), semanage-boolean(8), and getsebool(8) man pages on your system for details and more examples related to the commands used.

Prerequisites

  • The selinux-policy-doc and setools-console packages are installed on your system.

Procedure

  1. List all SELinux-related topics and limit the results to a component you want to configure. For example: 

    # man -k selinux | grep samba
samba_net_selinux (8) - Security Enhanced Linux Policy for the samba_net processes
samba_selinux (8)    - Security Enhanced Linux Policy for the smbd processes
…

    In the man page that corresponds to your scenario, find the related SELinux booleans, port types, and file types.

    Note that the man -k selinux or apropos selinux commands are available only after you install the selinux-policy-doc package.

  2. Optional: You can display the default mapping of processes on default locations by using the semanage fcontext -l command, for example: 

    # semanage fcontext -l | grep samba
…
/var/cache/samba(/.*)?                             all files          system_u:object_r:samba_var_t:s0
…
/var/spool/samba(/.*)?                             all files          system_u:object_r:samba_spool_t:s0
…

  3. Use the sesearch command to display rules in the default SELinux policy. You can find the type and boolean to use by listing the corresponding rule, for example: 

    $ sesearch -A | grep samba | grep httpd
…
allow httpd_t cifs_t:dir { getattr open search }; [ use_samba_home_dirs && httpd_enable_homedirs ]:True
…

  4. An SELinux boolean might be the most straightforward solution for your configuration problem. You can display all available booleans and their values by using the getsebool -a command, for example: 

    $ getsebool -a | grep homedirs
git_cgi_enable_homedirs --> off
git_system_enable_homedirs --> off
httpd_enable_homedirs --> off
mock_enable_homedirs --> off
mpd_enable_homedirs --> off
openvpn_enable_homedirs --> on
ssh_chroot_rw_homedirs --> off

  5. You can verify that the selected boolean does exactly what you want by using the sesearch command, for example: 

    $ sesearch -A | grep httpd_enable_homedirs
…
allow httpd_suexec_t autofs_t:dir { getattr open search }; [ use_nfs_home_dirs && httpd_enable_homedirs ]:True
allow httpd_suexec_t autofs_t:dir { getattr open search }; [ use_samba_home_dirs && httpd_enable_homedirs ]:True
…

  6. If no boolean matches your scenario, find an SELinux type that suits your case. You can find a type for your files by querying a corresponding rule from the default policy by using sesearch, for example: 

    $ sesearch -A -s httpd_t -c file -p read
…
allow httpd_t httpd_t:file { append getattr ioctl lock open read write };
allow httpd_t httpd_tmp_t:file { append create getattr ioctl link lock map open read rename setattr unlink write };
…
  7. If none of the previous solutions cover your scenario, you can add a custom rule to the SELinux policy. See the Creating a local SELinux policy module section for more information.

Configure access to a non-standard shared directory for the unprivileged SELinux user user_u. This process restricts access by finding and mapping the appropriate SELinux file type to the directory.

The user_u user has the default role user_r and the default domain user_t. See the seinfo(1), semanage-fcontext(8), and user_selinux(8) man pages on your system for more information about the related commands and the generic unprivileged SELinux user user_u.

Prerequisites

  • The selinux-policy-doc and setools-console packages are installed on your system.

Procedure

  1. Open the user_selinux(8) man page in your terminal: 

    $ man user_selinux

    In the MANAGED FILES section, find an attribute or a type that corresponds with your scenario. For example, the user_home_type attribute.

  2. Optional: To list all types assigned to an attribute, use the seinfo command with the -x and -a options, for example: 

    $ seinfo -x -a user_home_type

Type Attributes: 1
   attribute user_home_type;
…
	chrome_sandbox_home_t
	config_home_t
	cvs_home_t
	data_home_t
	dbus_home_t
	fetchmail_home_t
	gconf_home_t
	git_user_content_t
…

  3. After you identify a candidate for the corresponding type, the data_home_t type in this example, check its SELinux mapping: 

    $ semanage fcontext -l | grep data_home_t
…
/root/\.local/share(/.*)?                          all files          system_u:object_r:data_home_t:s0
…

  4. Map the corresponding type to a directory that you want to make accessible for user_u, for example, /shared-data: 

    $ semanage fcontext -a -t data_home_t '/shared-data(/.*)?'

Verification

  1. Check the mapping of the directory you configured: 

    # semanage fcontext -l | grep "shared-data"
/shared-data(/.*)?                             	all files      	system_u:object_r:data_home_t:s0
  2. Log in as a Linux user mapped to the user_u SELinux user, and verify you can access the directory.
Red Hat logoGithubredditYoutubeTwitter

Aprender

Experimente, compre e venda

Comunidades

Sobre a documentação da Red Hat

Ajudamos os usuários da Red Hat a inovar e atingir seus objetivos com nossos produtos e serviços com conteúdo em que podem confiar. Explore nossas atualizações recentes.

Tornando o open source mais inclusivo

A Red Hat está comprometida em substituir a linguagem problemática em nosso código, documentação e propriedades da web. Para mais detalhes veja o Blog da Red Hat.

Sobre a Red Hat

Fornecemos soluções robustas que facilitam o trabalho das empresas em plataformas e ambientes, desde o data center principal até a borda da rede.

Theme

© 2026 Red HatVoltar ao topo