Chapter 4. Configuring SELinux for applications and services with non-standard configurations
When SELinux is in enforcing mode, the default policy is the targeted policy. The following sections provide information on setting up and configuring the SELinux policy for various services after you change configuration defaults, such as ports, database locations, or file-system permissions for processes.
In the following procedures, you learn to change SELinux types for non-standard ports, to identify and fix incorrect labels for changes of default directories, and to adjust the policy using SELinux booleans.
4.1. Customizing the SELinux policy for the Apache HTTP server in a non-standard configuration
You can configure the Apache HTTP server to listen on a different port and to provide content in a non-default directory. To prevent consequent SELinux denials, follow the steps in this procedure to adjust your system’s SELinux policy.
httpdpackage is installed and the Apache HTTP server is configured to listen on TCP port 3131 and to use the
/var/test_www/directory instead of the default
setroubleshoot-serverpackages are installed on your system.
httpdservice and check the status:
# systemctl start httpd # systemctl status httpd ... httpd: (13)Permission denied: AH00072: make_sock: could not bind to address [::]:3131 ... systemd: Failed to start The Apache HTTP Server. ...
The SELinux policy assumes that
httpdruns on port 80:
# semanage port -l | grep http http_cache_port_t tcp 8080, 8118, 8123, 10001-10010 http_cache_port_t udp 3130 http_port_t tcp 80, 81, 443, 488, 8008, 8009, 8443, 9000 pegasus_http_port_t tcp 5988 pegasus_https_port_t tcp 5989
Change the SELinux type of port 3131 to match port 80:
# semanage port -a -t http_port_t -p tcp 3131
# systemctl start httpd
However, the content remains inaccessible:
# wget localhost:3131/index.html ... HTTP request sent, awaiting response... 403 Forbidden ...
Find the reason with the
# sealert -l "*" ... SELinux is preventing httpd from getattr access on the file /var/test_www/html/index.html. ...
Compare SELinux types for the standard and the new path using the
# matchpathcon /var/www/html /var/test_www/html /var/www/html system_u:object_r:httpd_sys_content_t:s0 /var/test_www/html system_u:object_r:var_t:s0
Change the SELinux type of the new
/var/test_www/html/content directory to the type of the default
# semanage fcontext -a -e /var/www /var/test_www
# restorecon -Rv /var/ ... Relabeled /var/test_www/html from unconfined_u:object_r:var_t:s0 to unconfined_u:object_r:httpd_sys_content_t:s0 Relabeled /var/test_www/html/index.html from unconfined_u:object_r:var_t:s0 to unconfined_u:object_r:httpd_sys_content_t:s0
Check that the
httpdservice is running:
# systemctl status httpd ... Active: active (running) ... systemd: Started The Apache HTTP Server. httpd: Server configured, listening on: port 3131 ...
Verify that the content provided by the Apache HTTP server is accessible:
# wget localhost:3131/index.html ... HTTP request sent, awaiting response... 200 OK Length: 0 [text/html] Saving to: ‘index.html’ ...
4.2. Adjusting the policy for sharing NFS and CIFS volumes using SELinux booleans
You can change parts of SELinux policy at runtime using booleans, even without any knowledge of SELinux policy writing. This enables changes, such as allowing services access to NFS volumes, without reloading or recompiling SELinux policy. The following procedure demonstrates listing SELinux booleans and configuring them to achieve the required changes in the policy.
NFS mounts on the client side are labeled with a default context defined by a policy for NFS volumes. In RHEL, this default context uses the
nfs_t type. Also, Samba shares mounted on the client side are labeled with a default context defined by the policy. This default context uses the
cifs_t type. You can enable or disable booleans to control which services are allowed to access the
To allow the Apache HTTP server service (
httpd) to access and share NFS and CIFS volumes, perform the following steps:
Optionally, install the
selinux-policy-develpackage to obtain clearer and more detailed descriptions of SELinux booleans in the output of the
semanage boolean -lcommand.
Identify SELinux booleans relevant for NFS, CIFS, and Apache:
# semanage boolean -l | grep 'nfs\|cifs' | grep httpd httpd_use_cifs (off , off) Allow httpd to access cifs file systems httpd_use_nfs (off , off) Allow httpd to access nfs file systems
List the current state of the booleans:
$ getsebool -a | grep 'nfs\|cifs' | grep httpd httpd_use_cifs --> off httpd_use_nfs --> off
Enable the identified booleans:
# setsebool httpd_use_nfs on # setsebool httpd_use_cifs onNote
-Poption to make the changes persistent across restarts. A
setsebool -Pcommand requires a rebuild of the entire policy, and it might take some time depending on your configuration.
Check that the booleans are
$ getsebool -a | grep 'nfs\|cifs' | grep httpd httpd_use_cifs --> on httpd_use_nfs --> on
4.3. Additional resources
- See Troubleshooting problems related to SELinux for more details on identifying and analyzing SELinux denials.