Can’t make SELinux context types permanent with semanage

rhel6selinux

I created a new folder at /modevasive to hold my mod_evasive scripts and for the Log Directory. I'm trying to change the context type to httpd_sys_content_t so Apache can write to the folder. I did semanage fcontext -a -t "httpd_sys_content_t" /modevasive to change the context and then restorecon -v /modevasive to enable the change, but restorecon didn't do anything. So I used chcon to change it manually, did the restorecon to see what would happen and it changed it back to default_t.

semanage fcontext -l gives:

/modevasive/          all files          system_u:object_r:httpd_sys_content_t:s0`

And looking at /etc/selinux/targeted/contexts/files/file_contexts.local gives

 /modevasive/    system_u:object_r:httpd_sys_content_t:s0

So why does restorecon keep setting it back to default_t?

Best Answer

Well, I reached out to RedHat support and this was the answer I got.

He had me do the same steps, except for in the first semanage command, he has me do "/modevasive(/.*)?" instead of just "/modevasive". I haven't got an explanation why, but that solved the problem for me.

Related Solutions

Lighttpd fails with 403 – Forbidden with SELinux enabled

You appear to be using a Samba share to store your web content. If you want SELinux to allow your web server to read files on Samba shares, you need to set the appropriate boolean. For instance:

setsebool -P httpd_use_cifs 1

Php – How to use SELinux to confine PHP scripts

The best way to acheive this level of seperation is to not use type transitions but category / MCS transitions. This acts a little like the svirt implementation in the libvirt KVM stuff.

OK, the first thing you're going to need to do is download a httpd module called mod_selinux. Its been floating around in the fedora repos for quite some time, but has never really made it into the EL6 systems unfortunately.

In any case, you can rebuild the package from fedora sources. I did this on a fedora machine but you can just download the same package from a mirror. I used F16 as a base as it runs httpd-2.2.

yumdownloader --source mod_selinux --releaserver=16
...
mod_selinux-2.2.2454-3.fc15.src.rpm                        |  23 kB   00:00

Then when downloaded, rebuild on your EL6 box.

rpmbuild --rebuild mod_selinux-2.2.2454-3.fc15.src.rpm
...
Wrote: /home/build/rpmbuild/RPMS/x86_64/mod_selinux-2.2.2454-3.el6.x86_64.rpm

Finally install the module.

rpm -i /home/build/rpmbuild/RPMS/x86_64/mod_selinux-2.2.2454-3.el6.x86_64.rpm

The RPM installs a module for httpd which you'll need and also a policy for httpd which is also necessary for this to run.

The file for this module is installed in /etc/httpd/conf.d/mod_selinux.conf.

The first stage in this process is to increase the number of categories that the main httpd process runs as, so that it can produce child threads that span the correct range. In the file change:

selinuxServerDomain     *:s0

selinuxServerDomain     *:s0-s0:c0.c1023

Now, you must assign each virtual host in apache a category. This is done by adding a line such as in the example below called selinuxDomainVal.

<VirtualHost *:80>
    DocumentRoot /var/www/vhosts/host1
    ServerName host1.virtual
    selinuxDomainVal *:s0:c0
</VirtualHost>

<VirtualHost *:80>
    DocumentRoot /var/www/vhosts/host2
    ServerName host2.virtual
    selinuxDomainVal *:s0:c1
</VirtualHost>

Next, in the document root for each host, relabel their document roots to the same category as the ones labelled in the httpd config.

chcon -R -l s0:c0 /var/www/vhosts/host1
chcon -R -l s0:c1 /var/www/vhosts/host2

If you want to make the labelling get honoured if you do a system relabel, you'd better update the local policy too!

semanage fcontext -a -t httpd_sys_content_t -r s0-s0:c0 '/var/www/vhosts/host1(/.*)?'
semanage fcontext -a -t httpd_sys_content_t -r s0-s0:c1 '/var/www/vhosts/host2(/.*)?'

And thats it! Its impossible to leave your document root and go exploring in others now.

Best Answer

Related Solutions

Lighttpd fails with 403 – Forbidden with SELinux enabled

Php – How to use SELinux to confine PHP scripts

Related Topic