SELinux Learning Activity

Hands-On Lab

 

Photo of Rob Marti

Rob Marti

Linux Training Architect I in Content

Length

00:30:00

Difficulty

Intermediate

In this lab we'll use SELinux to resolve a scenario that is common in the real world. Doing this will help to understand the tools available and where to look when troubleshooting SELinux issues.

What are Hands-On Labs?

Hands-On Labs are scenario-based learning environments where learners can practice without consequences. Don't compromise a system or waste money on expensive downloads. Practice real-world skills without the real-world risk, no assembly required.

SELinux Learning Activity

Introduction

In this lab we'll use SELinux to resolve a scenario that is common in the real world. Doing this will help to understand the tools available and where to look when troubleshooting SELinux issues.

The Scenario

We've been tasked with setting up a new web server, and we're required to have SELinux in enforcing mode. The website data must reside in /opt/website.

Once the SELinux contexts are set correctly for that directory we have to deploy the website, making sure that /opt/website/index.html has the correct SELinux permissions so it can be served out.

Get Logged In

Use the credentials and server IP in the hands-on lab overview page to log into our lab server. Since we'll need to be root for the all of the commands, we'll run a quick sudo -i as soon as we're in. Once that's done, we can get moving.

Fix the Selinux Permissions on /opt/website so That They'll Survive a Relabel

First we'll check to see what the label needs to be on /opt/website/. Since websites are normally stored in /var/www/html, we can look there to see what it should be. Let's run:

[root@host]# ls -lZ /var/www

We can see that the context should be set to httpd_sys_content_t. Now if we look at /opt/website with the same command, we'll see that it is set instead to usr_t.

We need to change this, so we'll run this:

[root@host]# semanage fcontext -a -t httpd_sys_content_t '/opt/website(/.*)?'

This makes a change in the SELinux database, but to actually make the change on the filesystem, we'll run:

[root@host]# restorecon /opt/website

Deploy the Website as Instructed and Test It

Our website's index.html page is sitting in /root, and we've been instructed to deploy the website. So let's move the file:

[root@host]# mv /root/index.html /opt/website/

Then we can trying viewing it with:

[root@host]# curl localhost/index.html`

If we get a Connection refused error, it might be that our web server isn't running yet. Try a quick systemctl start httpd to fire it up if it isn't running already.

What if we get a 403 Forbidden error? Well, let's see if it's SELinux blocking us. Run setenforce 0 to set SELinux to permissive, then try the curl command again.

If it works, then we've got to adjust SELinux. Set it back to enforcing mode with setenforce 1 and then let's dig into what's not working.

Resolve the Error When Trying to Access /opt/website/index.html

ls -lZ /opt/website will show that index.html has a content type of admin_home_t. We set the /opt/website directory up properly, but the new file in it needs some attention.

If we run restorecon /opt/website/index.html, this should be fixed. Then the curl command will work.

Conclusion

We did it. We set up a website in a non-standard directory and got it served out with SELinux still in enforcing mode. Congratulations!