SELinux httpd write access to a directory

36,845

Solution 1

Here's how to permanently change the context of a directory:

# install semanage if you don't already have it. It'll be one of:
yum install policycoreutils-python
dnf install policycoreutils-python-utils

# give the directory a new default context. The part at the end is a regex.
semanage fcontext -a -t httpd_sys_rw_content_t "/path/to/directory(/.*)?"

# apply the default context to the directory
restorecon -R /path/to/directory

Here's some more documentation on the different contexts for httpd:

RHEL 8: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/using_selinux/configuring-selinux-for-applications-and-services-with-non-standard-configurations_using-selinux#customizing-the-selinux-policy-for-the-apache-http-server-in-a-non-standard-configuration_configuring-selinux-for-applications-and-services-with-non-standard-configurations

RHEL 7: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/SELinux_Users_and_Administrators_Guide/sect-Managing_Confined_Services-The_Apache_HTTP_Server-Types.html

RHEL 6: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Managing_Confined_Services/sect-Managing_Confined_Services-The_Apache_HTTP_Server-Types.html

Solution 2

SELinux makes use of extended attributes that can appended to the directory structures on the disk. Think of these as meta data. Access Control Lists (ACLs) being another.

The extended attributes that you need to append to a directory are called contexts and SELinux acts like a traffic cop, making sure that an executable that has certain contexts is allowed to access the filesystem based on these contexts. You can see what's available on the directory using the -Z switch to ls.

$ sudo ls -Z /var/www
drwxr-xr-x. root root system_u:object_r:httpd_sys_script_exec_t:s0 cgi-bin
drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 html

Here you can see that these directories have the context httpd_sys_script_exec_t:s0 on the cgi-bin dir. and the html dir. has httpd_sys_content_t:s0.

You can add these using the chcon command:

$ sudo chcon -t httpd_sys_content_t public_html

The command you're asking about will simply load the module mypoll.pp I do not believe it will grant any permissions to anything, there is likely more messages in the audit.log that you're missing with your command, that will tell you in more detail what you need to do to allow access.

I'd encourage you to take some time and familiarize yourself with SELinux. It's confusing at first but is generally straightforward, after spending a little time with it. See the resources below to get you started.

References

Share:
36,845

Related videos on Youtube

rslemos
Author by

rslemos

I am a PhD student at Jadavpur University, Department of Computer Science and Engineering. My current research interests include Resource Management, Optimization, Sensor Cloud Infrastructure. I have previously worked at School of Cultural Text and Records, Jadavpur University for developing Text Collation Engine.

Updated on September 18, 2022

Comments

  • rslemos
    rslemos about 1 year

    I am new to SELinux. came from debian. I want to give httpd access to a directory.

    SELinux Alert Browser suggests:

    # grep httpd /var/log/audit/audit.log | audit2allow -M mypol
    # semodule -i mypol.pp 
    

    I couldn't understand how does this command work. I don't specify a directory path anywhere. how does it know which directory to allow for httpd ?

    Previously I've used grep to extract text from output or file. But here grep is being used on a process. That I didn't get.

    Also what is the actual solution. If I want to give httpd write access to a directory ?

    • miken32
      miken32 over 9 years
      And to answer your other question, audit2allow reads the SELinux log file and writes a policy allowing anything that's been blocked; the directory name will be in the log message. By grepping for httpd you're limiting it a bit, but the method is still more broad than it should be.
    • salah-1
      salah-1 over 3 years
  • rslemos
    rslemos over 9 years
    Thanks. I'll go through them. But can you tell me for now what I need to do to give write access to this directory ?
  • slm
    slm over 9 years
    If it's content that you want Apache to read you likely need to add this context to the dir: chcon -R -t httpd_sys_content_t <dir>
  • Sir_Faenor
    Sir_Faenor over 6 years
    Perfect!!Worked for me in Fedora 26, policycoreutils-python was already installed by default.