Difference between revisions of "SELinux Notes"
| Line 21: | Line 21: | ||
If you can't run PHP, you may have the files in the wrong SELinux security context. You can change the security | If you can't run PHP, you may have the files in the wrong SELinux security context. You can change the security | ||
# | # Check the security context: | ||
ls -lZ /var/www/html/ | |||
# You can give the web server read/write access to the files with: | # You can give the web server read/write access to the files with: | ||
chcon -R -t httpd_sys_rw_content_t /var/www/html/xxx | chcon -R -t httpd_sys_rw_content_t /var/www/html/xxx | ||
==Problem: CGI scripts won't run.== | ==Problem: CGI scripts won't run.== | ||
Revision as of 11:52, 23 April 2019
SELinux is enabled by default on Centos 7 and on RHEL. It's a good thing to enable for internet-facing servers. It makes it far, far more complex to run a web server.
References:
- https://wiki.centos.org/HowTos/SELinux
- https://wiki.gentoo.org/wiki/SELinux/Tutorials/What_is_this_unconfined_thingie_and_tell_me_about_attributes
- https://stackoverflow.com/questions/5326531/php-warning-unknown-failed-to-open-stream
- https://wiki.centos.org/HowTos/SELinux
- https://www.lisenet.com/2016/advanced-apache-configuration-with-selinux-on-rhel-7/
Problem: apache can't access the files
sudo /sbin/restorecon -R /var/www
setsebool -P httpd_read_user_content 1
Running a web server:
If you can't run PHP, you may have the files in the wrong SELinux security context. You can change the security
- Check the security context:
ls -lZ /var/www/html/
- You can give the web server read/write access to the files with:
chcon -R -t httpd_sys_rw_content_t /var/www/html/xxx
Problem: CGI scripts won't run.
In order to be able to execute a CGI script under SELinux, the script must be in the httpd_sys_rw_content_t security context. There are two ways to set the security context:
- The context can be manually set on a per-file basis with the _chcon_ command
- The context can be derrived from a selinux policy. Policies provide regular expressions that match filenames and automatically assign contexts.
The RedHat SELinux installation appears to install rules for the cgi-bin directory, but it does not allow you to use the .cgi extension.
You can see the selinux policies that might possibly apply to cgi-bin with:
$ semanage fcontext --list | grep cgi-bin
You can explicitly the script the SELinux context cgi-bin directory with:
$ chcon -t httpd_sys_script_exec_t /var/www/cgi-bin/script.cgi
You can take it away with:
$ chcon -t unlabeled_t /var/www/cgi-bin/script.cgi
Check the file's SELinux attributes with `ls -laZ`:
$ ls -laZ /var/www/cgi-bin/script.cgi
Looks like we can add a policy with the semanage command. I tried this to make everything in the bin directory within html executable:
$ semanage fcontext -a -t httpd_sys_script_exec_t "/var/www/html/bin(/.*)?" $ restorecon -R -v /var/www/html/bin
References:
Disabling SELinux
Don't do this. People will get angry.
- edit /etc/selinux/config and change SELINUX from 'enforcing' to 'permissive'
Problem: RHEL doesn't support PHP7.x
You want PHP7 to run mediawiki.
Solution:
- Install httpd, httpd-devel and php
- Now download PHP7
./configure --with-apxs2=/usr/bin/apxs --enable-mbstring --with-mysqli --with-openssl
- And let httpd scripts make outbound TCP connections:
# setsebool -P httpd_can_network_connect 1
For running mediawiki, also see:
