SELinux Notes

From Simson Garfinkel
Jump to navigation Jump to search

SELinux is enabled by default on Centos 7 and on RHEL. It's a good thing to enable for internet-facing servers. It makes it far, far more complex to run a web server.


Resolving SELinux Problems

Problem: apache can't access the files

   sudo /sbin/restorecon -R /var/www
   setsebool -P httpd_read_user_content 1

Running a web server:

If you can't run PHP, you may have the files in the wrong SELinux security context. You can change the security

  1. Check the security context:
   ls -lZ /var/www/html/
  1. You can give the web server read/write access to the files with:
   chcon -R -t httpd_sys_rw_content_t /var/www/html/xxx

Problem: CGI scripts won't run.

In order to be able to execute a CGI script under SELinux, the script must be in the httpd_sys_rw_content_t security context. There are two ways to set the security context:

  1. The context can be manually set on a per-file basis with the _chcon_ command
  2. The context can be derrived from a selinux policy. Policies provide regular expressions that match filenames and automatically assign contexts.

The RedHat SELinux installation appears to install rules for the cgi-bin directory, but it does not allow you to use the .cgi extension.

You can see the selinux policies that might possibly apply to cgi-bin with:

   $ semanage fcontext --list | grep cgi-bin

You can explicitly the script the SELinux context cgi-bin directory with:

   $ chcon -t httpd_sys_script_exec_t /var/www/cgi-bin/script.cgi

You can take it away with:

   $ chcon -t unlabeled_t /var/www/cgi-bin/script.cgi

Check the file's SELinux attributes with `ls -laZ`:

   $ ls -laZ /var/www/cgi-bin/script.cgi

Looks like we can add a policy with the semanage command. I tried this to make everything in the bin directory within html executable:

   $ semanage fcontext -a -t httpd_sys_script_exec_t "/var/www/html/bin(/.*)?"
   $ restorecon -R -v /var/www/html/bin

See the errors:

   $ journalctl -xe


Problem: Apache can't make outgoing network connections

By default, Apache running on selinux cannot make outgoing network connections. This is controlled by SELinux boolean variables. Here are all of the ones that matter:

$ sudo semanage boolean -l |grep net | grep http
httpd_can_network_relay        (off  ,  off)  Allow httpd to can network relay
httpd_can_network_connect_db   (on   ,   on)  Allow httpd to can network connect db
httpd_can_network_connect      (on   ,   on)  Allow httpd to can network connect
httpd_can_network_memcache     (off  ,  off)  Allow httpd to can network memcache
httpd_can_network_connect_cobbler (off  ,  off)  Allow httpd to can network connect cobbler

You can enable this and make it persistent across reboots with:

$ sudo getsebool httpd_can_network_connect
httpd_can_network_connect --> off
$ sudo setsebool -P httpd_can_network_connect on
$ sudo getsebool httpd_can_network_connect
httpd_can_network_connect --> on

Problem: RHEL doesn't support PHP7.x

You want PHP7 to run mediawiki.


  1. Install httpd, httpd-devel and php
  2. Now download PHP7
   ./configure --with-apxs2=/usr/bin/apxs --enable-mbstring --with-mysqli --with-openssl
  1. And let httpd scripts make outbound TCP connections:
   # setsebool -P httpd_can_network_connect 1

For running mediawiki, also see:

Problem: MySQL/MariaDB doesn't work after data directory is moved


  1. Edit /etc/my.cnf and insert this:
# Disabling symbolic-links is recommended to prevent assorted security risks
# Settings user and group are ignored when systemd is used.
# If you need to run mysqld under a different user or group,
# customize your systemd unit file for mariadb according to the
# instructions in


# include all files from the config directory
!includedir /etc/my.cnf.d

  1. chcon -R -t mysqld_db_t /data2/mysql /var/lib/mysql

Disabling SELinux

Don't do this. People will get angry.

  • edit /etc/selinux/config and change SELINUX from 'enforcing' to 'permissive'