The following sections describe the top three causes of problems: labeling problems, configuring Booleans and ports for services, and evolving SELinux rules.
10.10.2.1. Labeling Problems
On systems running SELinux, all processes and files are labeled with a label that contains security-relevant information. This information is called the SELinux context. If these labels are wrong, access may be denied. If an application is labeled incorrectly, the process it transitions to may not have the correct label, possibly causing SELinux to deny access, and the process being able to create mislabeled files.
A common cause of labeling problems is when a non-standard directory is used for a service. For example, instead of using /var/www/html/
for a website, an administrator wants to use /srv/myweb/
. On Fedora, the /srv/
directory is labeled with the var_t
type. Files and directories created and /srv/
inherit this type. Also, newly-created top-level directories (such as /myserver/
) may be labeled with the default_t
type. SELinux prevents the Apache HTTP Server (httpd
) from accessing both of these types. To allow access, SELinux must know that the files in /srv/myweb/
are to be accessible to httpd
:
~]#
semanage fcontext -a -t httpd_sys_content_t "/srv/myweb(/.*)?"
This
semanage
command adds the context for the
/srv/myweb/
directory (and all files and directories under it) to the SELinux file-context configuration
. The
semanage
utility does not change the context. As root, run the
restorecon
utility to apply the changes:
~]#
restorecon -R -v /srv/myweb
10.10.2.1.1. What is the Correct Context?
The matchpathcon
utility checks the context of a file path and compares it to the default label for that path. The following example demonstrates using matchpathcon
on a directory that contains incorrectly labeled files:
~]$
matchpathcon -V /var/www/html/*
/var/www/html/index.html has context unconfined_u:object_r:user_home_t:s0, should be system_u:object_r:httpd_sys_content_t:s0
/var/www/html/page1.html has context unconfined_u:object_r:user_home_t:s0, should be system_u:object_r:httpd_sys_content_t:s0
In this example, the index.html
and page1.html
files are labeled with the user_home_t
type. This type is used for files in user home directories. Using the mv
command to move files from your home directory may result in files being labeled with the user_home_t
type. This type should not exist outside of home directories. Use the restorecon
utility to restore such files to their correct type:
~]#
restorecon -v /var/www/html/index.html
restorecon reset /var/www/html/index.html context unconfined_u:object_r:user_home_t:s0->system_u:object_r:httpd_sys_content_t:s0
To restore the context for all files under a directory, use the -R
option:
~]#
restorecon -R -v /var/www/html/
restorecon reset /var/www/html/page1.html context unconfined_u:object_r:samba_share_t:s0->system_u:object_r:httpd_sys_content_t:s0
restorecon reset /var/www/html/index.html context unconfined_u:object_r:samba_share_t:s0->system_u:object_r:httpd_sys_content_t:s0