Thursday, March 1, 2018


Priceless wiki

#disable DAC (must be root), will only log rule violations
setenforce 0
#enable it
setenforce 1

#display info
cat /etc/selinux/config

DAC and MAC (discretionary and mandatory access control). First DAC is applied, then MAC (if DAC succeeds).
#list user, role, type, level
ls -Z myfile

Access Vector Cache (AVC)

#view SELinux-Linux user mappings
semanage login -l

#view the SELinux context for processes
ps -eZ

#view SELinux context associated to your user
id -Z

#label a file with a type (transient)
chcon -t

#permanent relabeling of file

#restore default context for process

In Apache, if you get this:

[Tue Feb 27 14:11:52.105495 2018] [core:error] [pid 41356] (13)Permission denied: [client] AH00035: access to /index.html denied (filesystem path '/path/to/home') because search permissions are missing on a component of the path


ps -efZ | grep http

and check the httpd process, on which TYPE (httpd_t) it's running:

system_u:system_r:httpd_t:s0 root 37203 1 0 Feb28 ? 00:00:03 /usr/sbin/httpd -DFOREGROUND
system_u:system_r:httpd_t:s0 apache 37206 37203 0 Feb28 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND

then you have to change the type of your file to be served

ls -Z /path/to/index.html
-rw-r--r--. admrun admrun unconfined_u:object_r:default_t:s0 /path/to/index.html

then you do

chcon -t httpd_t /path/to/index.html

if you get

chcon: failed to change context of "/path/to/myfile" to "˜unconfined_u:object_r:httpd_t:s": Permission denied

it's because httpd_t is a PROCESS type, not a FILE type ( see )

see here complete documentation of types

However it's better to change the context for the folder rather than for the individual files:

# semanage fcontext -a -t httpd_sys_content_t "/path/to(/.*)?"
# restorecon -R -v /path/to

see also "man semanage-fcontext" and

in Puppet (pueah) you can use and a clause like:

selinux::fcontext { '/path/to':
path => '/path/to(/.*)?',
setype => 'httpd_sys_content_t',

No comments: