Difference between chcon and semanage in SE Linux

14/10/2014 3:12 pm

Jakub Walczak

Tags: SE Linux

There is "small" difference between

chcon -t some_file_type_t /some/file

and

semanage fcontext -a -t some_file_type_t /some/file
restorecon -v /some/file

The first one only set contex for specified file, but when file id deleted and created again or restored from backup (ie. tar without --selinux attribute) the changed context is not restored.

To permanently change context to file or some files, even created you have to use semanage:

semanage fcontext -a -t fome_file_type_t "/some/dir(/.*)?"

to change context to directory /some/dir and all files in this directory.

Add comment

Configuring SELinux Policies for web application - Submin

11/10/2014 10:52 pm

Jakub Walczak

Tags: SE Linux , server

If you want to use Submin, or any other web application that resides outside default Apache directory (/var/www/html) you have to set proper SELinux context for all files. In this case all files are located in /var/lib/submin directory. Without this you will get some error messages in /var/log/audit/audit.log:

avc:  denied  { write } for  pid=1813 comm="python2" name="submin.db" dev=dm-0 ino=664032 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file

and in /var/log/messages:

setroubleshoot: SELinux is preventing /usr/bin/python from read access on the file /var/lib/submin/conf/settings.py
setroubleshoot: SELinux is preventing /usr/bin/python from read access on the file /var/lib/submin/conf/settings.pyc
setroubleshoot: SELinux is preventing /usr/bin/python from write access on the directory /var/lib/submin/conf
setroubleshoot: SELinux is preventing /usr/bin/python from getattr access on the file /var/lib/submin/conf/submin.db

You should change context of /var/lib/submin/cgi-bin/submin.cgi to httpd_sys_script_exec_t and whole /var/lib/submin/conf/ directory to httpd_sys_script_rw_t:

cd /var/lib/submin
chcon -t httpd_sys_script_exec_t cgi-bin/submin.cgi
chcon -R -t httpd_sys_script_rw_t conf

additionally if You want Submin to work with Apache on different port (ie. 88), you have to change http_vhost options:

submin2-admin /var/lib/submin config set http_vhost "http://your.host.com:88"

note there is no tailing slash (/) in address.

Add comment

apache ARM automation AVR backup bash bezpieczeństwo CAD CAM CMS containers cron CSS cyrus database docker DSO203 DVD eAccelerator Eclipse elektronika ELM327 e-mail entertainment EPROM ez Publish firma fun GIMP GnuCash GPS GSM home automation HTML InO iso ISP JTAG KiCAD LaTeX LDAP LEGO Linux mc MQTT MRTG multimedia OpenOffice PAWN PDF plone poczta PostgreSQL programowanie python Redmine ruby SAN SE Linux security server serwer sieć sport SQL stm32 svn tmpwatch trac udev UML USB virtualization windows wine

Ten kto umie pisze kod, ten kto nie umie pisze książki..., albo blog.

Tags

Archive

Październik 2014

Pon Wt Śr Czw Pt So N
    1 2 3 4 5
6 7 8 9 10 11 12
13 14 15 16 17 18 19
20 21 22 23 24 25 26
27 28 29 30 31    
eZ Publish™ copyright © 1999-2024 eZ Systems AS