SELinux httpd write access to a directory
Solution 1
Here's how to permanently change the context of a directory:
# install semanage if you don't already have it. It'll be one of:
yum install policycoreutils-python
dnf install policycoreutils-python-utils
# give the directory a new default context. The part at the end is a regex.
semanage fcontext -a -t httpd_sys_rw_content_t "/path/to/directory(/.*)?"
# apply the default context to the directory
restorecon -R /path/to/directory
Here's some more documentation on the different contexts for httpd:
Solution 2
SELinux makes use of extended attributes that can appended to the directory structures on the disk. Think of these as meta data. Access Control Lists (ACLs) being another.
The extended attributes that you need to append to a directory are called contexts and SELinux acts like a traffic cop, making sure that an executable that has certain contexts is allowed to access the filesystem based on these contexts. You can see what's available on the directory using the -Z
switch to ls
.
$ sudo ls -Z /var/www
drwxr-xr-x. root root system_u:object_r:httpd_sys_script_exec_t:s0 cgi-bin
drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 html
Here you can see that these directories have the context httpd_sys_script_exec_t:s0
on the cgi-bin
dir. and the html
dir. has httpd_sys_content_t:s0
.
You can add these using the chcon
command:
$ sudo chcon -t httpd_sys_content_t public_html
The command you're asking about will simply load the module mypoll.pp
I do not believe it will grant any permissions to anything, there is likely more messages in the audit.log
that you're missing with your command, that will tell you in more detail what you need to do to allow access.
I'd encourage you to take some time and familiarize yourself with SELinux. It's confusing at first but is generally straightforward, after spending a little time with it. See the resources below to get you started.
References
Related videos on Youtube
rslemos
I am a PhD student at Jadavpur University, Department of Computer Science and Engineering. My current research interests include Resource Management, Optimization, Sensor Cloud Infrastructure. I have previously worked at School of Cultural Text and Records, Jadavpur University for developing Text Collation Engine.
Updated on September 18, 2022Comments
-
rslemos about 1 year
I am new to SELinux. came from debian. I want to give
httpd
access to a directory.SELinux Alert Browser suggests:
# grep httpd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp
I couldn't understand how does this command work. I don't specify a directory path anywhere. how does it know which directory to allow for httpd ?
Previously I've used grep to extract text from output or file. But here grep is being used on a process. That I didn't get.
Also what is the actual solution. If I want to give httpd write access to a directory ?
-
miken32 over 9 yearsAnd to answer your other question, audit2allow reads the SELinux log file and writes a policy allowing anything that's been blocked; the directory name will be in the log message. By grepping for httpd you're limiting it a bit, but the method is still more broad than it should be.
-
salah-1 over 3 yearsRelevant answer: unix.stackexchange.com/questions/511929/…
-
-
rslemos over 9 yearsThanks. I'll go through them. But can you tell me for now what I need to do to give write access to this directory ?
-
slm over 9 yearsIf it's content that you want Apache to read you likely need to add this context to the dir:
chcon -R -t httpd_sys_content_t <dir>
-
Sir_Faenor over 6 yearsPerfect!!Worked for me in Fedora 26, policycoreutils-python was already installed by default.