I have two machines running the same JBoss and HTTPD setup. They started from the exact same install of RedHat 7 and the same process was followed to install everything on both machines.
On one machine, everything works perfectly fine with SELinux running with the default settings. I never touched SELinux on it.
On the other machine, when I try to access it in a web browser, I get 403 forbidden error messages. When I searched around online for why, I found a suggestion that I should disable SELinux on it and see if it works then. So I ran setenforce 0
, restarted jboss and httpd, refreshed my browser, and the forbidden message went away, everything worked again. I flip SELinux back on with setenforce 1
, restart the applications, refresh the browser, and the forbidden message is back.
So on my second machine, there definitely seems to somehow be something wrong with SELinux. It's weird, because I didn't touch SELinux on either machine until I tried turning it off on the second. I've verified that on the first machine, when I run getenforce
, it does return Enforcing
.
My question is – how can I view the SELinux configurations on each machine? How can I compare them, to find out where the differences are between them, and edit or copy them so that I can run SELinux on the second machine without interfering my apps, just like on my first machine?
Edit – I ran this command to search the audit logs:
cat /var/log/audit/audit.log | grep httpd | grep denied
The first line is repeated several times. The last two lines only showed up once at the very end.
type=AVC msg=audit(1468877854.297:22110): avc: denied { getattr } for pid=5193 comm="httpd" path="/var/www/html/sfo/index.htm" dev="dm-0" ino=70334613 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:var_t:s0 tclass=file
type=AVC msg=audit(1468877854.297:22111): avc: denied { read } for pid=5193 comm="httpd" name="index.htm" dev="dm-0" ino=70334613 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:var_t:s0 tclass=file
type=AVC msg=audit(1468877854.297:22111): avc: denied { open } for pid=5193 comm="httpd" path="/var/www/html/sfo/index.htm" dev="dm-0" ino=70334613 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:var_t:s0 tclass=file
I don't see any similar messages on the machine where SELinux is running without improperly blocking the page. Both machines have the same permission flags set for /var, /var/www, /var/www/html, /var/www/html/sfo, and /var/www/html/sfo/index.htm
All the directories have drwxr-xr-x
, the index.htm file has -rw-r--r--
. All are owned by user root and group root. md5sum
says /etc/sudoers are identical. Nothing is in /etc/sudoers.d on either machine.
Both machines have the same output for getsebool -a | grep httpd
:
httpd_anon_write --> off
httpd_builtin_scripting --> on
httpd_can_check_spam --> off
httpd_can_connect_ftp --> off
httpd_can_connect_ldap --> off
httpd_can_connect_mythtv --> off
httpd_can_connect_zabbix --> off
httpd_can_network_connect --> off
httpd_can_network_connect_cobbler --> off
httpd_can_network_connect_db --> off
httpd_can_network_memcache --> off
httpd_can_network_relay --> off
httpd_can_sendmail --> off
httpd_dbus_avahi --> off
httpd_dbus_sssd --> off
httpd_dontaudit_search_dirs --> off
httpd_enable_cgi --> on
httpd_enable_ftp_server --> off
httpd_enable_homedirs --> off
httpd_execmem --> off
httpd_graceful_shutdown --> on
httpd_manage_ipa --> off
httpd_mod_auth_ntlm_winbind --> off
httpd_mod_auth_pam --> off
httpd_read_user_content --> off
httpd_run_stickshift --> off
httpd_serve_cobbler_files --> off
httpd_setrlimit --> off
httpd_ssi_exec --> off
httpd_sys_script_anon_write --> off
httpd_tmp_exec --> off
httpd_tty_comm --> off
httpd_unified --> off
httpd_use_cifs --> off
httpd_use_fusefs --> off
httpd_use_gpg --> off
httpd_use_nfs --> off
httpd_use_openstack --> off
httpd_use_sasl --> off
httpd_verify_dns --> off
Best Answer
With SELinux the filesystem has extra "permissions" above and beyond the regular UNIX ones. If you were to run
ls -Z ...
(-Z
is an SELinux extension tols(1)
) on files under/var/www/html
across both machines I suspect you will see the following:On server A:
drwxr-xr-x root root system_u:object_r:httpd_sys_content_t /var/www/html/
On server B:
drwxr-xr-x root root system_u:object_r:var_t /var/www/html/
etc.
On server A this is labelled correctly for Apache to read that directory with SELinux active. On server B the directory isn't labelled correctly for Apache to read it while SELinux is active.
In order to fix it, try first running
restorecon -Rvn /var/www/
which will show you how the filesystem would be changed to match the currently-running SELinux policy. If that looks sane, remove the-n
flag and re-run.There's also a helpful
httpd_selinux(8)
manpage that documents SELinux with regards to Apache.