Security-Enhanced Linux (SELinux) is a robust security mechanism that provides mandatory access control (MAC) for Linux. When deploying web services on Enterprise Linux, SELinux helps ensure the system’s security by enforcing strict access policies. This article guides you through hosting a website in the /opt/cafe/www directory, highlighting how to debug, analyze, and solve SELinux-related issues when it is in enforcing mode.
Scenario Overview
In this scenario, you are setting up a website with its files located in /opt/cafe/www. SELinux is enabled and in enforcing mode, which is the default configuration on Enterprise Linux. We’ll walk through the steps to configure SELinux to allow the web server (Apache) to serve content from this custom directory.
Installing Apache
First, ensure Apache is installed and running:
sudo dnf install httpd -y
sudo systemctl start httpd
sudo systemctl enable httpd
Configuring Apache
Edit the Apache configuration to point to the new directory:
sudo vim /etc/httpd/conf.d/cafe.conf
Add the following configuration:
<VirtualHost *:80>
DocumentRoot "/opt/cafe/www"
<Directory "/opt/cafe/www">
AllowOverride None
Require all granted
</Directory>
ErrorLog /var/log/httpd/cafe_error.log
CustomLog /var/log/httpd/cafe_access.log combined
</VirtualHost>
Create the directory and place an index.html file for testing:
sudo mkdir -p /opt/cafe/www
echo "<h1>Welcome to Cafe</h1>" | sudo tee /opt/cafe/www/index.html
sudo chown -R apache:apache /opt/cafe/www
Restart Apache to apply the changes:
sudo systemctl restart httpd
SELinux Context Configuration
By default, Apache is not allowed to read files from the /opt/cafe/www directory due to SELinux policies. We need to adjust the security context of this directory.
Check the current SELinux context:
ls -Zd /opt/cafe/www
The output will show a context similar to:
drwxr-xr-x. root root unconfined_u:object_r:default_t:s0 /opt/cafe/www
Change the context to httpd_sys_content_t to allow Apache to serve the files:
sudo semanage fcontext -a -t httpd_sys_content_t '/opt/cafe/www(/.*)?'
sudo restorecon -Rv /opt/cafe/www
Verify the new context:
ls -Zd /opt/cafe/www
The output should now be:
drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 /opt/cafe/www
Debugging SELinux Issues
If there are issues with serving the content, the first step is to check the SELinux audit logs.
Install the setroubleshoot-server package to help interpret SELinux denials:
sudo dnf install setroubleshoot-server -y
sudo ausearch -m AVC,USER_AVC -ts recent
The ausearch command helps find recent SELinux denials. For a more user-friendly output, use sealert:
sudo sealert -a /var/log/audit/audit.log
This command analyzes the audit logs and provides detailed information and suggestions on how to resolve issues.
Analyzing and Solving Common Issues
Issue 1: Directory permissions
Ensure that Apache has read permissions:
sudo chown -R apache:apache /opt/cafe/www
Issue 2: Incorrect SELinux context
If the context is not correctly set, apply the correct context:
sudo semanage fcontext -a -t httpd_sys_content_t '/opt/cafe/www(/.*)?'
sudo restorecon -Rv /opt/cafe/www
Issue 3: Boolean Values
Certain SELinux booleans control additional Apache functionalities. List and check their values:
sudo getsebool -a | grep httpd
Enable required booleans, for example, allowing Apache to connect to the network:
sudo setsebool -P httpd_can_network_connect on
Conclusion
By following these steps, you can successfully host a website in the /opt/cafe/www directory on Enterprise Linux with SELinux enforcing mode. Properly configuring SELinux contexts and understanding how to debug and analyze SELinux issues are crucial for maintaining a secure and functional web server. Leveraging SELinux’s capabilities ensures that your system remains robust against unauthorized access and potential security threats.
Tom's IT Cafe 