Difference between revisions of "SELinux Notes"

From Simson Garfinkel
Jump to navigationJump to search
(Created page with "References: * https://wiki.centos.org/HowTos/SELinux * https://wiki.gentoo.org/wiki/SELinux/Tutorials/What_is_this_unconfined_thingie_and_tell_me_about_attributes Running a...")
 
m
Line 1: Line 1:
SELinux is enabled by default on Centos 7 and on RHEL. It's a good thing to enable for internet-facing servers. It makes it far, far more complex to run a web server.
References:
References:


* https://wiki.centos.org/HowTos/SELinux
* https://wiki.centos.org/HowTos/SELinux
* https://wiki.gentoo.org/wiki/SELinux/Tutorials/What_is_this_unconfined_thingie_and_tell_me_about_attributes
* https://wiki.gentoo.org/wiki/SELinux/Tutorials/What_is_this_unconfined_thingie_and_tell_me_about_attributes
* https://stackoverflow.com/questions/5326531/php-warning-unknown-failed-to-open-stream
==Problem: apache can't access the files==
    sudo /sbin/restorecon -R /var/www
    setsebool -P httpd_read_user_content 1


Running a web server:
Running a web server:

Revision as of 08:22, 14 January 2018

SELinux is enabled by default on Centos 7 and on RHEL. It's a good thing to enable for internet-facing servers. It makes it far, far more complex to run a web server.


References:

Problem: apache can't access the files

   sudo /sbin/restorecon -R /var/www
   setsebool -P httpd_read_user_content 1

Running a web server:

If you can't run PHP, you may have the files in the wrong SELinux security context. You can change the security

  1. Use ls -lZ /var/www/html/xxx to check the security context
  2. You can give the web server read/write access to the files with:
   chcon -R -t httpd_sys_rw_content_t /var/www/html/xxx


Disabling SELinux

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-Working_with_SELinux-Changing_SELinux_Modes.html#sect-Security-Enhanced_Linux-Enabling_and_Disabling_SELinux-Permissive_Mode

  • edit /etc/selinux/config and change SELINUX from 'enforcing' to 'permissive'