Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

SELinux worth the hassle?

  • 23-01-2014 3:41pm
    #1
    Tillotson
    Registered Users, Registered Users 2 Posts: 218 ✭✭


    Just lost the last few hours banging my head against the wall trying to figure out why the php site wasn't working. Finally realised that selinux was turned on.

    Anyone know of any good reference materials?


Comments

  • #2
    Standard Toaster
    Registered Users, Registered Users 2 Posts: 10,288 ✭✭✭✭Standard Toaster


    Tillotson wrote: »
    Just lost the last few hours banging my head against the wall trying to figure out why the php site wasn't working. Finally realised that selinux was turned on.

    Anyone know of any good reference materials?

    Worth enabling once you get your head around the various concepts.
    Check Dan Walsh's blog
    http://danwalsh.livejournal.com


  • #3
    Tillotson
    Registered Users, Registered Users 2 Posts: 218 ✭✭Tillotson


    Yea, apache was giving me a 403 error. Spent ages double checking configs / permissions and trawling through logs before it finally dawned on me. I wouldn't of minded if I had found an error message which pointed me in the right direction.

    It's pointless enabling it now and blindly following instructions found online. Something I'll have to come back to when I understand what I'm doing.


  • #4
    Standard Toaster
    Registered Users, Registered Users 2 Posts: 10,288 ✭✭✭✭Standard Toaster


    Set it to permissive mode and look at the audit log, should show what needs to be addressed. Grep for AVC messages.

    You can check the status of all of the apache-related SELinux booleans that are off with something like:

    # getsebool -a | grep httpd | grep off$
    allow_httpd_anon_write --> off
    allow_httpd_mod_auth_ntlm_winbind --> off
    allow_httpd_mod_auth_pam --> off
    allow_httpd_sys_script_anon_write --> off
    httpd_can_check_spam --> off
    httpd_can_network_connect_cobbler --> off
    httpd_can_network_connect_db --> off
    httpd_can_network_relay --> off
    httpd_can_sendmail --> off
    httpd_dbus_avahi --> off
    httpd_enable_ftp_server --> off
    httpd_enable_homedirs --> off
    httpd_execmem --> off
    httpd_read_user_content --> off
    httpd_setrlimit --> off
    httpd_ssi_exec --> off
    httpd_tmp_exec --> off
    httpd_unified --> off
    httpd_use_cifs --> off
    httpd_use_gpg --> off
    httpd_use_nfs --> off


    Enable/disable with

    setsebool -P httpd_tmp_exec 1

    Audit2allow as a last resort.....or leaving it off completely.


Advertisement