SeLinux for beginners

 

1) All files, directories and devices in RedHat has a security context and label associated with it. If you are running a system without the proper security context and label the system will display a Forbidden error message

2) It is encouraged for security reasons to have SELinux enabled, however if you do not want SELinux enabled and it is causing problems there are two main ways to disable it

a) If you want to disable SELinux temporarily while you resolve the SELinux problem but want to keep your website functioning in the meantime, below are the steps:


i) Getenforce (Command to show the state of SELinux)
Enforcing
ii) You cannot disable SELinux permanently without changing the configuration file and rebooting machine, so you need to put it in permissive mode (SeLinux prints warnings but rules not enforced so your website can work)
root@unassigned# setenforce 0
root@unassigned# getenforce
Permissive


b) To set it permanently to disable or permissive you need to edit the /etc/selinux/config file and reboot the machine.


#This file controls the state of SELinux on the system.
#SELINUX- can take one of these three values:
# enforcing – SELinux security policy is enforced.
# permissive – SELinux prints warnings instead of enforcing
# disabled – No SELinux policy is loaded
SELINUX=disable or permissive #Need to change this value to permissive or disabled, but only of those options and reboot the machine for it to take effect
#SELINUXTYPE = can take one of three two values:
# targeted – Targeted processes are protected,
# minimum – Modification of targeted policy. Only selected processes are protected
# mls – Multi Level Security protection
SELINUXTYPE=targeted

 

3) For this example, I have enable and have installed apache (yum install httpd) enabled Apache (systemctl start httpd and systemctl enable httpd (so it is enabled after reboot) and I have edited the /etc/conf/httpd.conf to change the home directory (DocumentRoot and Directory variables for apache from /var/www to /SELinux for a simple way to make those changes go to the sed KB article)

4) So I created the /SELinux folder on my server and an index.html file in that folder and made sure to restart apache

5) Now when I go to http:/myipaddress/index.hml, it shows as forbidden

6) The audit file with all the information about SELinux errors are located in: /var/log/audit/audit.log

7) You will notice if you cat /var/log/audit/audit.log | more, that the audit and error messages do not make sense and is not easy to read

8) So you need to install the SELinux troubleshooter package:
yum install setroubleshoot-server

9) Then you will want to analyze the data:
sealert –a /var/log/audit/audit.log > /Selinux.txt
This pipes it to a file you can look at later

10) So you will notice it gives 2 errors and suggestions:
   a) semanage fcontext –a –t FILE_TYPE ‘/SELinux/index.html’
   b) restorecon –v /SELinux/index.html

11) The initial question most people will ask is what is my FILE_TYPE.

12) If you run the command semanage fcontext –l, you will display all the FILE_TYPE’s on the system. But you just want to look for the File Type related to /var/www as this FILETYPE is the correct FILE_TYPE, as it is the original folder and location that Apache is supposed to run on

13) You will see the below line related to /var/www from the semanage fcontext -l
/var/www(/.*)? All files system_u:httpd_sys_content_t:s0 [httpd_sys_content_t is the FILE_TYPE in question]

14) So you will now need to run the below commands:
semanage fcontext –a –t httpd_sys_content_t ‘/SELinux(/.*)?’ #changes the File Type to httpd_sys_content_t
restorecon –RV /SELinux # Makes the new File Type take effect recursively on that folder

15) Then you will notice that your website is working