Quick Primer: SELinux
Before you do whatever, see the troubleshooting section at the end of this article:
Use audit2why to identify the file that is causing the access problem.
Then use restorecon -v [filename, or wildcard] to adjust relabel the file to the type that SElinux thinks is correct by its rule set.
If this doesn’t work, then go about relabeling the files and creating a rule as detailed. The above method (restorecon -v) is much safer then adjusting policies.
The following is a good explanation on SELinux, what it does and how to modify it: http://www.crypt.gen.nz/selinux/disable_selinux.html
echo 1 > /selinux/enforce service httpd stop echo > /var/log/audit/audit.log service httpd start #here do the thing that SElinux stops cat /var/log/audit/audit.log | audit2why cat /var/log/audit/audit.log | audit2allow
Changing the SELinux policies to reflect proper access for httpd to the files
Referring to the SELinux write up provided by CentOS, we’ll be looking into an example of changing SELinux policy.
ls -Z /var/www/redmine/
The files have been tagged with the following security context:
So only precess with that have access to the admin_home_t context can access them.
What is httpd’s context?
service httpd start ps axZ | grep httpd
Looks to be:
So, admin_home_t is not a context type that the “super-context type” httpd_t can access.
What context type can a process with httpd_t access?
touch /var/www/html/index.html ls -Z /var/www/html/
Thanks, SElinux, for labeling our files with your super intellect.
httpd_sys_content_t is a context type that a process running with httpd_t context can access.
Let’s change the context of the files and directories below /var/www/redmine/ so that we can actually allow the process httpd to access them:
Change it to reflect now:
chcon -Rv --type=httpd_sys_content_t /var/www/redmine/
Create an SELinux policy so that it maintains the security context, even after relabeling by our friendly SELinux:
yum -y install policycoreutils-python # this takes a bit, policycoreutils should include the binary semanage, but apparently not semanage fcontext -a -t httpd_sys_content_t "/redmine(/.*)?" # this also takes a bit
Now httpd should be able to access the files without an issue:
service httpd restart #error free!
This is also a good page with reference to sealert and setroubleshoot.
getsebool -a #from libselinux-utils package
seinfo -t #from setools-console package
list current permanent file context tagging:
semanage fcontext -l #from policycoreutils-python package