SELinux notes

From Wiki
Jump to: navigation, search

AWS instances have SElinux enabled by default. File contexts will need to be updated in order for sites to work.

setsebool -P httpd_enable_homedirs 1
chcon -R -t httpd_sys_content_t /home/user/public_html
chcon -R -t httpd_sys_content_t /var/www/html
[root@elite home]# getsebool -a | grep httpd
allow_httpd_anon_write --> on
allow_httpd_mod_auth_ntlm_winbind --> off
allow_httpd_mod_auth_pam --> off
allow_httpd_sys_script_anon_write --> off
httpd_builtin_scripting --> on
httpd_can_check_spam --> off
httpd_can_network_connect --> on
httpd_can_network_connect_cobbler --> off
httpd_can_network_connect_db --> off
httpd_can_network_memcache --> off
httpd_can_network_relay --> off
httpd_can_sendmail --> off
httpd_dbus_avahi --> on
httpd_enable_cgi --> on
httpd_enable_ftp_server --> off
httpd_enable_homedirs --> on
httpd_execmem --> off
httpd_read_user_content --> on
httpd_setrlimit --> off
httpd_ssi_exec --> off
httpd_tmp_exec --> off
httpd_tty_comm --> on
httpd_unified --> on
httpd_use_cifs --> off
httpd_use_gpg --> off
httpd_use_nfs --> off

Servers using RDS need httpd_can_network_connect_db set to "on".

setsebool -P httpd_can_network_connect_db=on

Allow puppet to use SMTP.

grep name_connect /var/log/audit/audit.log  | audit2allow -M puppet_smtp
semodule -i puppet_smtp.pp

Permanently set file context for web apps.

semanage fcontext -a -t httpd_sys_content_t "/srv/puppetboard/puppetboard(/.*)?"
semanage fcontext -a -t httpd_config_t "/srv/puppetboard/ssl(/.*)?"