what is Selinux and how to implement on your Server?

linux logo

SELinux

What is SELinux?

SELinux stands for Security-Enhanced Linux.
Security-Enhanced Linux (SELinux) is a security architecture for Linux systems that allows administrators to have more control over who can access the system.

It was originally developed by the United States National Security Agency (NSA) as a series of patches to the Linux kernel using Linux Security Modules (LSM).

SELinux was released to the open-source community in 2000, and was integrated into the upstream Linux kernel in 2003.




If you are running Security-Enhanced Linux, then it might be the reason for the problem, by denying access to the file from the server.

How to configure SElinux?

To check whether SELinux is enabled on your system, run the sestatus command in a terminal. If the

[[email protected] ~]$ sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 31

The command does not exist, then SELinux is not on your system. If it does exist, then it should tell you whether it is enforced or not.

To check whether SELinux policies are the reason for the problem, you can try turning it off temporarily. However be CAREFUL, since this will disable protection entirely. Do not do this on your production server.

setenforce 0

Or

Edit file




vim /etc/selinux/config

#SELINUX=enforcing
SELINUX=disabled

Restart Server

init 6

If you are no longer have the problem with SELinux turned off, then this is the root cause.

To solve it, you will have to configure SELinux accordingly.

The following context types will be necessary :




httpd_sys_content_t  – This context is for read-only files and Directories
httpd_sys_rw_content_t  – This context is for files and Directories on which you want have read and write access
httpd_log_t – This context is used for log files to append in log files
httpd_cache_t – This context is for the cache directory

For example, to assign the httpd_sys_content_t context type to your website root directory, run :

semanage fcontext -a -t httpd_sys_content_t "/path/to/root(/.*)?"
restorecon -Rv /path/to/root

If your file is in a home directory, you will also need to turn on the httpd_enable_homedirs boolean :

function -P httpd_enable_homedirs 1

In any case, there could be a variety of reasons why SELinux would deny access to a file, depending on your policies. So you will need to enquire into that. Here is a tutorial specifically on configuring SELinux for a web server.

How to configure SELinux for web servers?

semanage fcontext -l

Allow Servers to read app files and all child directories and files.

semanage fcontext -a -t httpd_sys_content_t "/webapps(/.*)?"

Create Policy to allow logging in log Directories

semanage fcontext -a -t httpd_log_t "/webapps/logs(/.*)?"

Create Policy to allow cache.

semanage fcontext -a -t httpd_cache_t "/webapps/cache(/.*)?"

Allow server to read and write permission for uploading files and all child directories and files.

semanage fcontext -a -t httpd_sys_rw_content_t "/var/www/html/uploads(/.*)?"

Apply SELinux policy changes



restorecon -Rv /webapps

ls -lZ

How to change fcontext type for file and Directory

Run the chcon -t type file-name command to change the file type

]$ ls -dZ
]$ chcon -t httpd_sys_content_t file-name

Run the chcon -R -t type directory-name command to change the type of the directory

]$ chcon -R -t httpd_sys_content_t directory-name
]$ ls -dZ
]$ restorecon -v file

Important Link

[5.6.2. Persistent Changes: semanage fcontext Red Hat Enterprise Linux 6 | Red Hat Customer Portal]

techouse

I love helping beautiful people like you. I love hanging out with my dogs.

You may also like...

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.