Scribd
Upload
9 views

SElinux Howto

Uploaded by

Shiv Jani
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
9 views

SElinux Howto

Uploaded by

Shiv Jani
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 9

Mount ISO of RHEL 9.0 to your system and confirm with df -h command that it is mounted.

Copy all content of iso to a folder, here in below example it is mounted under /opt/rhel9 folder

After copy confirm that files are all listed as below.

[root@localhost ~]# ls -l /opt/rhel9/

total 48

dr-xr-xr-x. 4 herry herry 38 Apr 20 2022 AppStream

dr-xr-xr-x. 4 herry herry 38 Apr 20 2022 BaseOS

dr-xr-xr-x. 3 herry herry 18 Apr 19 2022 EFI

-r--r--r--. 1 herry herry 8154 Apr 20 2022 EULA

-r--r--r--. 1 herry herry 1455 Apr 20 2022 extra_files.json

-r--r--r--. 1 herry herry 18092 Apr 20 2022 GPL

dr-xr-xr-x. 3 herry herry 59 Apr 19 2022 images

dr-xr-xr-x. 2 herry herry 4096 Apr 19 2022 isolinux

-r--r--r--. 1 herry herry 103 Apr 20 2022 media.repo

-r--r--r--. 1 herry herry 1669 Apr 20 2022 RPM-GPG-KEY-redhat-beta

-r--r--r--. 1 herry herry 3682 Apr 20 2022 RPM-GPG-KEY-redhat-release

Create a repo file

[root@localhost ~]# cat /etc/yum.repos.d/local.repo

[AppStream]

name=this is my AppStream repo

baseurl=file:///opt/rhel9/AppStream

enabled=1

gpgcheck=0

[BaseOS]

name=this is my BaseOS repo

baseurl=file:///opt/rhel9/BaseOS

enabled=1

gpgcheck=0
IF repo is all set properly, you will be able to install httpd package, here it is already installed, for
you output will be different if installing for the first time

[root@localhost ~]# dnf install httpd

Updating Subscription Management repositories.

Unable to read consumer identity

This system is not registered with an entitlement server. You can use subscription-manager to
register.

Last metadata expiration check: 23:43:03 ago on Monday 30 September 2024 12:39:58 PM.

Package httpd-2.4.51-7.el9_0.x86_64 is already installed.

Dependencies resolved.

Nothing to do.

Complete!

Check status of httpd service, as it is not yet started.

[root@localhost ~]# systemctl status httpd

○ httpd.service - The Apache HTTP Server

Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor p>

Active: inactive (dead)

Docs: man:httpd.service(8)

Start httpd service and make it persistent on upon reboot.

[root@localhost ~]# systemctl enable --now httpd

Created symlink /etc/systemd/system/multi-user.target.wants/httpd.service →


/usr/lib/systemd/system/httpd.service.

[root@localhost ~]# systemctl status httpd

● httpd.service - The Apache HTTP Server

Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor pr>

Active: active (running) since Tue 2024-10-01 12:27:52 IST; 8s ago

====OMIT====

Oct 01 12:27:52 localhost.localdomain systemd[1]: Starting The Apache HTTP Ser>

Oct 01 12:27:52 localhost.localdomain httpd[3193]: AH00558: httpd: Could not r>

[root@localhost ~]#
Now check and set hostname of your system

[root@localhost ~]# hostname

localhost.localdomain

[root@localhost ~]# hostnamectl hostname vm1.example.com

[root@localhost ~]# hostname

vm1.example.com

[root@localhost ~]# exit ; exit

Open Terminal Again and become root

Check Your IP address

[root@vm1 ~]# ip addr

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen
1000

link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

inet 127.0.0.1/8 scope host lo

valid_lft forever preferred_lft forever

inet6 ::1/128 scope host

valid_lft forever preferred_lft forever

2: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen


1000

link/ether 00:0c:29:55:fb:b4 brd ff:ff:ff:ff:ff:ff

altname enp3s0

inet 192.168.116.129/24 brd 192.168.116.255 scope global dynamic noprefixroute ens160

valid_lft 1014sec preferred_lft 1014sec

inet6 fe80::20c:29ff:fe55:fbb4/64 scope link noprefixroute

valid_lft forever preferred_lft forever

Make entry in /etc/hosts file to resolve local ip to name

[root@vm1 ~]# vim /etc/hosts

[root@vm1 ~]# cat /etc/hosts

127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4

::1 localhost localhost.localdomain localhost6 localhost6.localdomain6

192.168.116.129 vm1.example.com vm1


[root@vm1 ~]# ls -l /var/www/html/

total 0

[root@vm1 ~]# echo this is web server >> /var/www/html/index.html

[root@vm1 ~]# ls -l /var/www/html/

total 4

-rw-r--r--. 1 root root 19 Oct 3 11:26 index.html

[root@vm1 ~]# hostname

vm1.example.com

[root@vm1 ~]# curl http://vm1.example.com

this is web server

[root@vm1 ~]# rm /var/www/html/index.html

rm: remove regular file '/var/www/html/index.html'? y

[root@vm1 ~]#

[root@vm1 ~]# echo this is file 1 > file1

[root@vm1 ~]# echo this is file 2 > file2

[root@vm1 ~]# ls

anaconda-ks.cfg file1 file2

[root@vm1 ~]# cp file1 /var/www/html/

[root@vm1 ~]# curl http://vm1.example.com/file1

this is file 1

[root@vm1 ~]# ls /var/www/html/

file1

[root@vm1 ~]# mv file2 /var/www/html/

[root@vm1 ~]# ls /var/www/html/

anaconda-ks.cfg file1

[root@vm1 ~]# curl http://vm1.example.com/file2

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">

<html><head>

<title>403 Forbidden</title>

</head><body>

<h1>Forbidden</h1>
<p>You don't have permission to access this resource.</p>

</body></html>

[root@vm1 ~]#

[root@vm1 ~]# ls -l /var/www/html

total 12

-rw-r--r--. 1 root root 14 Sep 30 13:08 file1

-rw-r--r--. 1 root root 14 Sep 30 13:08 file2

[root@vm1 ~]# setenforce 0

[root@vm1 ~]# getenforce

Permissive

[root@vm1 ~]# curl http://vm1.example.com/file2

this is file 2

[root@vm1 ~]# setenforce 1

[root@vm1 ~]# getenforce

Enforcing

[root@vm1 ~]# curl http://vm1.example.com/file2

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">

<html><head>

<title>403 Forbidden</title>

</head><body>

<h1>Forbidden</h1>

<p>You don't have permission to access this resource.</p>

</body></html>

[root@vm1 ~]#

[root@vm1 ~]# ls -lZ /var/www/html

total 12

-rw-r--r--. 1 root root unconfined_u:object_r:httpd_sys_content_t:s0 14 Sep 30 13:08 file1

-rw-r--r--. 1 root root unconfined_u:object_r:admin_home_t:s0 14 Sep 30 13:08 file2

[root@vm1 ~]#

AS Context Do not match SELinux will not allow access.


Apply Selinux Label default as it should be to any file under /var/www/html directory.

[root@vm1 ~]# restorecon -vvFR /var/www/html/

Relabeled /var/www/html/file1 from unconfined_u:object_r:httpd_sys_content_t:s0 to


system_u:object_r:httpd_sys_content_t:s0

Relabeled /var/www/html/file2 from unconfined_u:object_r:admin_home_t:s0 to


system_u:object_r:httpd_sys_content_t:s0

[root@vm1 ~]# ls -lZ /var/www/html/

total 8

-rw-r--r--. 1 root root system_u:object_r:httpd_sys_content_t:s0 15 Oct 3 11:29 file1

-rw-r--r--. 1 root root system_u:object_r:httpd_sys_content_t:s0 15 Oct 3 11:29 file2

Now we will be able to access file2 with selinux in Enforcing mode.

[root@vm1 ~]# curl http://vm1.example.com/file2

this is file 2

[root@vm1 ~]#

Let’s See how we can change context of any file or folder.

[root@vm1 ~]# mkdir /custom

[root@vm1 ~]# ls -ld /custom

drwxr-xr-x. 2 root root 6 Oct 4 12:36 /custom

[root@vm1 ~]# ls -ldZ /custom

drwxr-xr-x. 2 root root unconfined_u:object_r:default_t:s0 6 Oct 4 12:36 /custom

[root@vm1 ~]# ls -ldZ /var/www/html/

drwxr-xr-x. 2 root root system_u:object_r:httpd_sys_content_t:s0 32 Oct 3 11:30 /var/www/html/

Chcon command can be used to change context of file/folder.

[root@vm1 ~]# chcon -t httpd_sys_content_t /custom

[root@vm1 ~]# ls -ldZ /custom

drwxr-xr-x. 2 root root unconfined_u:object_r:httpd_sys_content_t:s0 6 Oct 4 12:36 /custom

IF some one does a relabel to system, with restorecon command context applied with chcon will
be remove, changed to original what is in policy.

[root@vm1 ~]# restorecon -vvFR /custom

Relabeled /custom from unconfined_u:object_r:httpd_sys_content_t:s0 to


system_u:object_r:default_t:s0
[root@vm1 ~]# ls -ldZ /custom

drwxr-xr-x. 2 root root system_u:object_r:default_t:s0 6 Oct 4 12:36 /custom

[root@vm1 ~]#

Let’s Try to change Default Document Root of httpd from /var/www/html to /custom folder.

root@vm1 ~]# echo this is web server >> /custom/page1

[root@vm1 ~]# cat /custom/page1

this is web server

[root@vm1 ~]# curl http://vm1.example.com/page1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">

<html><head>

<title>404 Not Found</title>

</head><body>

<h1>Not Found</h1>

<p>The requested URL was not found on this server.</p>

</body></html>

Edit the Apache /etc/httpd/conf/httpd.conf configuration file, and replace the two occurrences of
the /var/www/html directory with the /custom directory. You can use the vim
/etc/httpd/conf/httpd.conf command to do so. (Edit file Carefully)

[root@vm1 ~]# vim /etc/httpd/conf/httpd.conf

1.

DocumentRoot /var/www/html

change it to

DocumentRoot /custom

2.

<Directory “/var/www/html”>

change it to

<Directory “/custom”>

[root@vm1 ~]#

As We modified httpd server configuration file we need to restart httpd service to take new changes
into effect.

[root@vm1 ~]# systemctl restart httpd


Do check with curl command, as we have selinux in enforcing mode it will not allow to open the page
but error is change to Forbidden from Page Not Found.

[root@vm1 ~]# curl http://vm1.example.com/page1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">

<html><head>

<title>403 Forbidden</title>

</head><body>

<h1>Forbidden</h1>

<p>You don't have permission to access this resource.</p>

</body></html>

[root@vm1 ~]# getenforce

Enforcing

[root@vm1 ~]# setenforce 0

[root@vm1 ~]# getenforce

Permissive

If we put selinux in permissive mode we are able to access page

[root@vm1 ~]# curl http://vm1.example.com/page1

this is web server

[root@vm1 ~]#

[root@vm1 ~]# getenforce

Permissive

[root@vm1 ~]# setenforce 1

[root@vm1 ~]# curl http://vm1.example.com/page1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">

<html><head>

<title>403 Forbidden</title>

</head><body>

<h1>Forbidden</h1>

<p>You don't have permission to access this resource.</p>

</body></html>
[root@vm1 ~]# ls -ldZ /custom/

drwxr-xr-x. 2 root root system_u:object_r:default_t:s0 19 Oct 4 12:42 /custom/

Apply context as required by httpd service with chcon command to directory and file.

[root@vm1 ~]# chcon -t httpd_sys_content_t /custom

[root@vm1 ~]# chcon -t httpd_sys_content_t /custom/page1

[root@vm1 ~]# ls -ldZ /custom/

drwxr-xr-x. 2 root root system_u:object_r:httpd_sys_content_t:s0 19 Oct 4 12:42 /custom/

[root@vm1 ~]# ls -ldZ /custom/page1

-rw-r--r--. 1 root root unconfined_u:object_r:httpd_sys_content_t:s0 19 Oct 4 12:42 /custom/page1

[root@vm1 ~]# getenforce

Enforcing

[root@vm1 ~]# curl http://vm1.example.com/page1

this is web server

[root@vm1 ~]#

Thank you.

You might also like