SELinux and Apache.

Support for security such as Firewalls and securing linux
hack3rcon
Posts: 423
Joined: 2014/11/24 11:04:37

Re: SELinux and Apache.

Post by hack3rcon » 2019/05/28 05:30:36

mghe wrote:
2019/05/27 18:24:50
Some of Your folder app should has write to it, so it should have context: httpd_sys_rw_content_t

Read here: https://access.redhat.com/documentation ... ling_files
When I disabled SELinux then it is OK. Log tell me:

Code: Select all

# cat /var/log/audit/audit.log 
type=MAC_STATUS msg=audit(1559021267.527:170): enforcing=1 old_enforcing=0 auid=1000 ses=2
type=SYSCALL msg=audit(1559021267.527:170): arch=c000003e syscall=1 success=yes exit=1 a0=3 a1=7fff32f909c0 a2=1 a3=7fff32f90420 items=0 ppid=3755 pid=3850 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 comm="setenforce" exe="/usr/sbin/setenforce" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=PROCTITLE msg=audit(1559021267.527:170): proctitle=736574656E666F7263650031
type=USER_AVC msg=audit(1559021267.527:171): pid=2918 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  received setenforce notice (enforcing=1)  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1559021274.515:172): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  received setenforce notice (enforcing=1)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=SERVICE_STOP msg=audit(1559021275.548:173): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=httpd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=SERVICE_START msg=audit(1559021275.658:174): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=httpd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=AVC msg=audit(1559021283.808:175): avc:  denied  { write } for  pid=3863 comm="httpd" name="page_cache" dev="dm-0" ino=205975324 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=dir permissive=0
type=SYSCALL msg=audit(1559021283.808:175): arch=c000003e syscall=21 success=no exit=-13 a0=7fcb925e3b40 a1=2 a2=0 a3=7777772f7261762f items=0 ppid=3861 pid=3863 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=PROCTITLE msg=audit(1559021283.808:175): proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44
How can I solve it?

hack3rcon
Posts: 423
Joined: 2014/11/24 11:04:37

Re: SELinux and Apache.

Post by hack3rcon » 2019/05/28 06:05:51

hack3rcon wrote:
2019/05/28 05:30:36
mghe wrote:
2019/05/27 18:24:50
Some of Your folder app should has write to it, so it should have context: httpd_sys_rw_content_t

Read here: https://access.redhat.com/documentation ... ling_files
When I disabled SELinux then it is OK. Log tell me:

Code: Select all

# cat /var/log/audit/audit.log 
type=MAC_STATUS msg=audit(1559021267.527:170): enforcing=1 old_enforcing=0 auid=1000 ses=2
type=SYSCALL msg=audit(1559021267.527:170): arch=c000003e syscall=1 success=yes exit=1 a0=3 a1=7fff32f909c0 a2=1 a3=7fff32f90420 items=0 ppid=3755 pid=3850 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 comm="setenforce" exe="/usr/sbin/setenforce" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=PROCTITLE msg=audit(1559021267.527:170): proctitle=736574656E666F7263650031
type=USER_AVC msg=audit(1559021267.527:171): pid=2918 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  received setenforce notice (enforcing=1)  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1559021274.515:172): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  received setenforce notice (enforcing=1)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=SERVICE_STOP msg=audit(1559021275.548:173): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=httpd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=SERVICE_START msg=audit(1559021275.658:174): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=httpd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=AVC msg=audit(1559021283.808:175): avc:  denied  { write } for  pid=3863 comm="httpd" name="page_cache" dev="dm-0" ino=205975324 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=dir permissive=0
type=SYSCALL msg=audit(1559021283.808:175): arch=c000003e syscall=21 success=no exit=-13 a0=7fcb925e3b40 a1=2 a2=0 a3=7777772f7261762f items=0 ppid=3861 pid=3863 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=PROCTITLE msg=audit(1559021283.808:175): proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44
How can I solve it?
Problem Solved by:

Code: Select all

# chcon -R -t httpd_sys_rw_content_t var/ pub/ generated/

hunter86_bg
Posts: 1841
Joined: 2015/02/17 15:14:33
Location: Bulgaria
Contact:

Re: SELinux and Apache.

Post by hunter86_bg » 2019/06/08 05:57:52

hack3rcon wrote:
2019/05/28 06:05:51
Problem Solved by:

Code: Select all

# chcon -R -t httpd_sys_rw_content_t var/ pub/ generated/
That's not permanent!

Use

Code: Select all

semanage fcontext -a -t  httpd_sys_rw_content_t "/full/path/todir(/.*)?" 

hack3rcon
Posts: 423
Joined: 2014/11/24 11:04:37

Re: SELinux and Apache.

Post by hack3rcon » 2019/06/23 15:03:08

Oh, for applying it permanently, I must use "semanage fcontext" ?

Post Reply