11

I am new to SELinux. came from debian. I want to give httpd access to a directory.

SELinux Alert Browser suggests:

# grep httpd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

I couldn't understand how does this command work. I don't specify a directory path anywhere. how does it know which directory to allow for httpd ?

Previously I've used grep to extract text from output or file. But here grep is being used on a process. That I didn't get.

Also what is the actual solution. If I want to give httpd write access to a directory ?

Jeff Schaller
  • 67,283
  • 35
  • 116
  • 255
Neel Basu
  • 301
  • 4
    And to answer your other question, audit2allow reads the SELinux log file and writes a policy allowing anything that's been blocked; the directory name will be in the log message. By grepping for httpd you're limiting it a bit, but the method is still more broad than it should be. – miken32 Jun 23 '14 at 18:03
  • Relevant answer: https://unix.stackexchange.com/questions/511929/website-cannot-write-to-files-or-create-directories/582622#582622 – salah-1 Apr 26 '20 at 12:06

2 Answers2

18

Here's how to permanently change the context of a directory:

# install semanage if you don't already have it. It'll be one of:
yum install policycoreutils-python
dnf install policycoreutils-python-utils

give the directory a new default context. The part at the end is a regex.


semanage fcontext -a -t httpd_sys_rw_content_t "/path/to/directory(/.*)?"


apply the default context to the directory


restorecon -R /path/to/directory

Here's some more documentation on the different contexts for httpd:

RHEL 8: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/using_selinux/configuring-selinux-for-applications-and-services-with-non-standard-configurations_using-selinux#customizing-the-selinux-policy-for-the-apache-http-server-in-a-non-standard-configuration_configuring-selinux-for-applications-and-services-with-non-standard-configurations

RHEL 7: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/SELinux_Users_and_Administrators_Guide/sect-Managing_Confined_Services-The_Apache_HTTP_Server-Types.html

RHEL 6: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Managing_Confined_Services/sect-Managing_Confined_Services-The_Apache_HTTP_Server-Types.html

Greg
  • 283
6

SELinux makes use of extended attributes that can appended to the directory structures on the disk. Think of these as meta data. Access Control Lists (ACLs) being another.

The extended attributes that you need to append to a directory are called contexts and SELinux acts like a traffic cop, making sure that an executable that has certain contexts is allowed to access the filesystem based on these contexts. You can see what's available on the directory using the -Z switch to ls.

$ sudo ls -Z /var/www
drwxr-xr-x. root root system_u:object_r:httpd_sys_script_exec_t:s0 cgi-bin
drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 html

Here you can see that these directories have the context httpd_sys_script_exec_t:s0 on the cgi-bin dir. and the html dir. has httpd_sys_content_t:s0.

You can add these using the chcon command:

$ sudo chcon -t httpd_sys_content_t public_html

The command you're asking about will simply load the module mypoll.pp I do not believe it will grant any permissions to anything, there is likely more messages in the audit.log that you're missing with your command, that will tell you in more detail what you need to do to allow access.

I'd encourage you to take some time and familiarize yourself with SELinux. It's confusing at first but is generally straightforward, after spending a little time with it. See the resources below to get you started.

References

slm
  • 369,824
  • Thanks. I'll go through them. But can you tell me for now what I need to do to give write access to this directory ? – Neel Basu Feb 23 '14 at 18:32
  • If it's content that you want Apache to read you likely need to add this context to the dir: chcon -R -t httpd_sys_content_t <dir> – slm Feb 23 '14 at 18:42