Apache HTTPD Not Allowed to Access Folder
It is possible to quickly implement security policy on a folder to allow application the required security. In this example, I am having the webserver Apache httpd to write log to a non standard folder /var/www/log. On a SELinux enabled Linux, permission is configured to allow read and write only for folders in /var/www/html.
On a Centos Linux with SELinux enabled, the HTPD server at start will show Failed to start The Apache HTTPD Server.
$ sudo systemctl stop httpd
$ sudo systemctl start httpd
$ sudo journalctl -xe
-- Unit httpd.service has begun starting up.
Jul 04 15:43:54 localdomain systemd[1]: httpd.service: main process exited, code=exited, status=1/FAILURE
Jul 04 15:43:54 localdomain kill[76313]: kill: cannot find process ""
Jul 04 15:43:54 localdomain systemd[1]: httpd.service: control process exited, code=exited status=1
Jul 04 15:43:54 localdomain systemd[1]: Failed to start The Apache HTTP Server.
-- Subject: Unit httpd.service has failed
The error dd not specifically mention its of SELinux nature, but disabling SELinux, the error is gone. Following are the permissions of the authorised folder /var/log and our custom folder.
The security context type should be var_log_t to allow system logging.
The tool chcon can be used to copy security context from the original folder as follows;
$ sudo chcon --reference /var/log /var/www/log
Restart the HTTPD server without errors.
Quick Command Reference
To complete this tutorial here are a few common commands and brief notes from man pages;- audit2allow
- generate SELinux policy allow/dontaudit rules from logs of denied operations
- audit2why
- translates SELinux audit messages into a description of why the access was denied (audit2allow -w)
- ausearch
- ausearch is a tool that can query the audit daemon logs based for events based on different search criteria. The ausearch utility can also take input from stdin as long as the input is the raw log data. Each commandline option given forms an "and" statement. For example, searching with -m and -ui means return events that have both the requested type and match the user id given.
- getenforce
- reports whether SELinux is enforcing, permissive, or disabled.
- getsebool
- reports where a particular SELinux boolean or all SELinux booleans are on or off.
- journalctl
- to query the contents of the systemd(1) journal as written by systemd-journald.service
- ls -Z
- Display security context so it fits on most displays. Displays only mode, user, group, security context and file name.
- ps auxZ
- report a snapshot of the current processes. Z displays security context.
- restorecon
- primarily used to set the security context (extended attributes) on one or more files.
- It can also be run at any other time to correct inconsistent labels, to add support for newly-installed policy or, by using the -n option, to passively check whether the file contexts are all set as specified by the active policy (default behavior).
- semanage
- SELinux Policy Management tool
- semodule
- manage SELinux policy modules, including installing, upgrading, listing and removing modules.
- sestatus
- get the status of a system running SELinux. It displays data about whether SELinux is enabled or disabled, location of key directories, and the loaded policy with its status
- setenforce
- Use Enforcing or 1 to put SELinux in enforcing mode.
- Use Permissive or 0 to put SELinux in permissive mode.
- setsebool
- sets the current state of a particular SELinux boolean or a list of booleans to a given value. The value may be 1 or true or on to enable the boolean, or 0 or false or off to disable it.
- If the -P option is given, all pending values are written to the policy file on disk. So they will be persistent across reboots.
/etc/selinux/config
No comments:
Post a Comment