Skip to main content

Troubleshooting SELinux on Files and Directories

Hands-On Lab

 

Photo of Rob Marti

Rob Marti

Linux Training Architect I in Content

Length

00:30:00

Difficulty

Intermediate

Understanding how to fix potential SELinux issues is important. This lab will present an SELinux problem and allow us to work through the solution, getting us familiar with where to look and how to fix problems.

What are Hands-On Labs?

Hands-On Labs are scenario-based learning environments where learners can practice without consequences. Don't compromise a system or waste money on expensive downloads. Practice real-world skills without the real-world risk, no assembly required.

Troubleshooting SELinux on Files and Directories

Introduction

Understanding how to fix potential SELinux issues is important. This lab will present an SELinux problem and allow us to work through the solution, getting us familiar with where to look and how to fix problems.

The Scenario

A junior sysadmin was trying to set up a webserver for our development team. He's running into some SELinux issues and isn't sure how to fix them.

First of all, Apache won't start. Once that starts correctly, we need to move the developer's index.html to their UserDir for Apache, and ensure that the page is served correctly.

Logging In

Use the credentials provided on the hands-on lab overview page, and log in as cloud_user. And once we're in we can just sudo -i so we get root privileges.

Identify and Fix the Problem on Startup

Let's try to start Apache right off, to see what happens:

# systemctl start httpd

We get an error, something about the control process ending with an error code. We do get some advice though, about checking status and using journalctl. So let's run that:

# journalctl -xe

In the output, we're going to see lines similar to this:

Jan 09 20:32:46 Server1 httpd[7107]: (13)Permission denied: AH00091: httpd: could not open error log file /etc/httpd/l>
Jan 09 20:32:46 Server1 httpd[7107]: AH00015: Unable to open logs

It looks like we're having a permission problem with the error log, /var/log/httpd/error_log. Let's investigate:

# ls -lZ /etc/httpd/logs/error_log

-rw-r--r--. 1 root root unconfined_u:object_r:admin_home_t:s0 0 Jan  9 20:17 /etc/httpd/logs/error_log

This is just a symbolic link over to a spot in /var/log, so let's look at that one too:

# ls -lZ /var/log/httpd/error_log

-rw-r--r--. 1 root root unconfined_u:object_r:admin_home_t:s0 0 Jan  9 20:17 /var/log/httpd/error_log

The admin_home in this isn't the right context for the /var/log directory. So let's use restorecon to change it:

# restorecon /var/log/httpd/error_log

Now if we look at the details again, we'll see that the context has changed to httpd_log:

# ls -lZ /var/log/httpd/error_log

-rw-r--r--. 1 root root unconfined_u:object_r:httpd_log_t:s0 0 Jan  9 20:17 /var/log/httpd/error_log

Let's see if we can start Apache now:

# systemctl start httpd

We get no errors, so we're good to go.

Fix the Problem with Home Directories

Now let's check on what's happening with home directories. Run this to see where they should be:

# cat /etc/httpd/conf.d/userdir.conf

According to the UserDir line, we should have a public_html directory in the developer user's home directory. Is there one? Let's check:

# cd /home/developer
# ls -l

There isn't, so we've got to create it. We'll also have to set the permissions on it to 755, and set the permissions on /home/developer to 711. First, make the directory:

# mkdir public_html

Check if its context is correct:

# ls -lZd public_html

We should get httpd_user_content in the output. Now we can set the permissions:

# chmod 0711 /home/developer
# chmod 0755 /home/developer/public_html

Let's create a test file and check that we can see it via Apache:

# cd public_html
# touch testfile
# curl localhost/~developer/testfile

Oh, we get a Forbidden error. We can check out a log to see what's happening:

# grep testfile /var/log/audit/audit.log

There are a couple of avc errors in there. We know that the context is set properly, so the next step is to look at Booleans. Does Apache have any related to home directories? Let's check:

# getsebool -a | grep httpd

Aha! There's one called httpd_enable_homedirs and it's set to off. Let's turn it on and see what happens:

# setsebool httpd_enable_homedirs on

Now the curl should work correctly:

# curl localhost/~developer/testfile

That file is empty, so there shouldn't be any output at all. No errors means we're good to go. Now, let's get the index.html file moved into the public_html directory and test:

# mv ../index.html .
# curl localhost/~developer/index.html

We get another permission error. Let's check on what's going on:

# ls -lZ

The context is different for the two files, because index.html was created in /home/developer, not in the public_html directory. Let's fix that and check:

# restorecon index.html
# ls -lZ

Now both files have the http_user_content context. Let's try the curl command again:

# curl localhost/~developer/index.html

We should see the contents of index.html.

Conclusion

We managed to get Apache up and running, and we have pages being served correctly out of our developers home directory. Congratulations!