what is Selinux and how to implement on your Server?
What is SELinux?
SELinux stands for Security-Enhanced Linux.
Security-Enhanced Linux (SELinux) is a security architecture for Linux systems that allows administrators to have more control over who can access the system.
It was originally developed by the United States National Security Agency (NSA) as a series of patches to the Linux kernel using Linux Security Modules (LSM).
SELinux was released to the open-source community in 2000, and was integrated into the upstream Linux kernel in 2003.
If you are running Security-Enhanced Linux, then it might be the reason for the problem, by denying access to the file from the server.
how to use SELinux and configure SELinux?
To check whether SELinux is enabled on your system, run the sestatus command in a terminal. If the
[[email protected] ~]$ sestatus
SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 31
The command does not exist, then SELinux is not on your system. If it does exist, then it should tell you whether it is enforced or not.
To check whether SELinux policies are the reason for the problem, you can try turning it off temporarily. However be CAREFUL, since this will disable protection entirely. Do not do this on your production server.
vim /etc/selinux/config #SELINUX=enforcing SELINUX=disabled Restart Server init 6
If you are no longer have the problem with SELinux turned off, then this is the root cause.
To solve it, you will have to configure SELinux accordingly.
The following context types will be necessary :
httpd_sys_content_t – This context is for read-only files and Directories
httpd_sys_rw_content_t – This context is for files and Directories on which you want have read and write access
httpd_log_t – This context is used for log files to append in log files
httpd_cache_t – This context is for the cache directory
For example, to assign the httpd_sys_content_t context type to your website root directory, run :
semanage fcontext -a -t httpd_sys_content_t "/path/to/root(/.*)?" restorecon -Rv /path/to/root
If your file is in a home directory, you will also need to turn on the httpd_enable_homedirs boolean :
function -P httpd_enable_homedirs 1
In any case, there could be a variety of reasons why SELinux would deny access to a file, depending on your policies. So you will need to enquire into that. Here is a tutorial specifically on configuring SELinux for a web server.
How to configure SELinux for web servers?
semanage fcontext -l
Allow Servers to read app files and all child directories and files.
semanage fcontext -a -t httpd_sys_content_t "/webapps(/.*)?"
Create Policy to allow logging in log Directories
semanage fcontext -a -t httpd_log_t "/webapps/logs(/.*)?"
Create Policy to allow cache.
semanage fcontext -a -t httpd_cache_t "/webapps/cache(/.*)?"
Allow server to read and write permission for uploading files and all child directories and files.
semanage fcontext -a -t httpd_sys_rw_content_t "/var/www/html/uploads(/.*)?"
Apply SELinux policy changes
restorecon -Rv /webapps ls -lZ
How to change fcontext type for file and Directory
Run the chcon -t type file-name command to change the file type
]$ ls -dZ ]$ chcon -t httpd_sys_content_t file-name
Run the chcon -R -t type directory-name command to change the type of the directory
]$ chcon -R -t httpd_sys_content_t directory-name ]$ ls -dZ
]$ restorecon -v file