Stop disabling SELinux

This article contains short recipes to help managing Drupal projects that run under an SELinux-enabled Linux distro (CentOS)

1. Allow Apache to access the root directory of your project

semanage fcontext -a -t httpd_sys_content_t '/var/local/myproject(/.*)?'

Long description: By default, Apache has access only access to /var/www directory, and any tenative to access files outside this directory (in your custom virtual host directory) will end up in access forbidden error. You can list the current rules applied to /var/www by running the following command:

semanage fcontext -l | grep '/var/www'

which shows the context applied to files within the directory:

...
/var/www(/.*)? all files system_u:object_r:httpd_sys_content_t:s0
/var/www/[^/]*/cgi-bin(/.*)? all files system_u:object_r:httpd_sys_script_exec_t:s0
/var/www/html/configuration\.php all files system_u:object_r:httpd_sys_rw_content_t:s0
/var/www/html/munin(/.*)? all files system_u:object_r:httpd_munin_content_t:s0
/var/www/html/munin/cgi(/.*)? all files system_u:object_r:httpd_munin_script_exec_t:s0
/var/www/icons(/.*)? all files system_u:object_r:httpd_sys_content_t:s0
...

Other useful commands

sealert - setroubleshoot client tool - scans the log file accumulating audit messages

audit2allow - generate SELinux policy allow/dontaudit rules from logs of denied operations

audit2why - translates SELinux audit messages into a description of why the access was denied (audit2allow -w)

 

Example:

Scan audit.log for imap daemon (dovecot) errors and generate an loadable module called imap.pp

grep imap /var/log/audit/audit.log | audit2allow -M imap

load it with semodule -i imap.pp

 

Bibliography

* techrepublic 

This page is under construction