https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security-enhanced_linux/chap-security-enhanced_linux-introduction#sect-Security-Enhanced_Linux-Introduction-Benefits_of_running_SELinux
#disable DAC (must be root), will only log rule violations
setenforce 0
#enable it
setenforce 1
#check
getenforce
#display info
sestatus
DAC and MAC (discretionary and mandatory access control). First DAC is applied, then MAC (if DAC succeeds).
#list user, role, type, level
ls -Z myfile
Access Vector Cache (AVC)
#view SELinux-Linux user mappings
semanage login -l
#view the SELinux context for processes
ps -eZ
#view SELinux context associated to your user
id -Z
#label a file with a type (transient)
chcon -t
#permanent relabeling of file
semanage
#restore default context for process
restorecon
In Apache, if you get this:
[Tue Feb 27 14:11:52.105495 2018] [core:error] [pid 41356] (13)Permission denied: [client 1.2.3.4:55713] AH00035: access to /index.html denied (filesystem path '/path/to/home') because search permissions are missing on a component of the path
try
ps -efZ | grep http
and check the httpd process, on which TYPE (httpd_t) it's running:
system_u:system_r:httpd_t:s0 root 37203 1 0 Feb28 ? 00:00:03 /usr/sbin/httpd -DFOREGROUND
system_u:system_r:httpd_t:s0 apache 37206 37203 0 Feb28 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND
then you have to change the type of your file to be served
ls -Z /path/to/index.html
-rw-r--r--. admrun admrun unconfined_u:object_r:default_t:s0 /path/to/index.html
then you do
chcon -t httpd_t /path/to/index.html
if you get
chcon: failed to change context of "/oath/to/myfile" to "˜unconfined_u:object_r:httpd_t:s": Permission denied
it's because httpd_t is a PROCESS type, not a FILE type ( see http://danwalsh.livejournal.com/54803.html )
#disable DAC (must be root), will only log rule violations
setenforce 0
#enable it
setenforce 1
#check
getenforce
#display info
sestatus
DAC and MAC (discretionary and mandatory access control). First DAC is applied, then MAC (if DAC succeeds).
#list user, role, type, level
ls -Z myfile
Access Vector Cache (AVC)
#view SELinux-Linux user mappings
semanage login -l
#view the SELinux context for processes
ps -eZ
#view SELinux context associated to your user
id -Z
#label a file with a type (transient)
chcon -t
#permanent relabeling of file
semanage
#restore default context for process
restorecon
In Apache, if you get this:
[Tue Feb 27 14:11:52.105495 2018] [core:error] [pid 41356] (13)Permission denied: [client 1.2.3.4:55713] AH00035: access to /index.html denied (filesystem path '/path/to/home') because search permissions are missing on a component of the path
try
ps -efZ | grep http
and check the httpd process, on which TYPE (httpd_t) it's running:
system_u:system_r:httpd_t:s0 root 37203 1 0 Feb28 ? 00:00:03 /usr/sbin/httpd -DFOREGROUND
system_u:system_r:httpd_t:s0 apache 37206 37203 0 Feb28 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND
then you have to change the type of your file to be served
ls -Z /path/to/index.html
-rw-r--r--. admrun admrun unconfined_u:object_r:default_t:s0 /path/to/index.html
then you do
chcon -t httpd_t /path/to/index.html
if you get
chcon: failed to change context of "/oath/to/myfile" to "˜unconfined_u:object_r:httpd_t:s": Permission denied
it's because httpd_t is a PROCESS type, not a FILE type ( see http://danwalsh.livejournal.com/54803.html )