Tam,
very much appreciated for all the helps.
On 4/11/12, Tam Nguyen <[log in to unmask]> wrote:
> We're glad to be able to help you.
>
> The package setools-console is very handy when it comes to setting the
> SELinux's user, role, and type for a specific file to allow specific access
> to a specific services.
>
> After installing setools-console, you can find out the list of SELinux
> context "type":
> seinfo -t
>
> Or a list of SELinux context "user":
> seinfo -u
>
> Or "role"
> seinfo -r
>
>
> You will get a long list of context types. An example I've gave you
> earlier was httpd_sys_content_t. Try this command:
>
> seinfo -t | grep httpd_sys
>
> Output:
> httpd_sys_content_t <==== recognize that? :)
> httpd_sys_htaccess_t
> httpd_sys_ra_content_t
> httpd_sys_rw_content_t
> httpd_sys_script_t
> httpd_sys_script_exec_t
>
> Another example, find the SELinux context type for Samba share file.
> seinfo -t | grep samba
>
> Output:
> samba_secrets_t
> samba_unconfined_script_exec_t
> samba_net_t
> samba_var_t
> samba_net_exec_t
> samba_net_tmp_t
> samba_unconfined_net_t
> samba_unconfined_script_t
> sambagui_exec_t
> samba_share_t <========= general samba share privilege
> samba_initrc_exec_t
> sambagui_t
> samba_etc_t
> samba_log_t
>
> Lastly, to make sure your hard-work SELinux survives reboot, run:
> semanage fcontext -a -t context_type_goes_here_t file_name_goes_here
>
> If you assigned context "user", then run:
> semanage fcontext -a -s context_user_goes_here_t -t
> context_type_goes_here_t file_name
>
> Actual example:
> semanage fcontext -a -s system_u -t samba_share_t /samba/sharedir
>
>
> And of course, you can always have the option to turn off SELinux but I
> would not recommend it. The only time I turned off SELinux was when I
> tested a service that kept spitting out permission denied or service not
> accessible...
>
> On Apr 3, zxq9 provided an excellent intro to SELinux. Take a look at his
> post.
>
> Wish you the best.
> -Tam
>
>
>
> On Wed, Apr 11, 2012 at 11:32 AM, Terry Northren <[log in to unmask]>wrote:
>
>> Tam and Alan,
>> thanks for the package. That solved it.
>>
>> Tam, what do I do with setools-console package?
>>
>> Our Linux Admin was working on a test Apache server. Most of the
>> configuration was done by him, but he left the company. I am picking
>> up the left behind. Coming from the Windows side, I am new to many
>> aspects of Linux. Still learning my rope. The Scientific Linux
>> community has been extremely helpful and resourceful :D.
>>
>>
>> On 4/11/12, Tam Nguyen <[log in to unmask]> wrote:
>> > That error means you do not have the prerequisite package installs.
>> > Install the package:
>> >
>> > yum -y install policycoreutils-python
>> >
>> > Since we are on the SELinux topic, I would recommend you also install:
>> >
>> > yum -y install setools-console
>> >
>> > Btw, looking back at your first post about Apache authentication and
>> access
>> > deny and allow, how did you manage to get your Apache to work in the
>> first
>> > place, especially configuring SELinux settings?
>> >
>> >
>> > On Wed, Apr 11, 2012 at 10:53 AM, Terry Northren <[log in to unmask]
>> >wrote:
>> >
>> >> Tam,
>> >> I followed your directions. I ran into an error when I executed the
>> >> semanage command:
>> >>
>> >> semanage fcontext -a -t httpd_sys_content_t public_html
>> >>
>> >> Here is my output error:
>> >> -bash: /usr/sbin/semanage: No such file or directory
>> >>
>> >> I went ahead and followed the rest of your tutorial. It worked!!
>> >> Does this mean I will have to re-configure SELinux after every reboot?
>> >>
>> >>
>> >> On 4/11/12, Tam Nguyen <[log in to unmask]> wrote:
>> >> > Not knowing the configuration of your httpd.conf file and the
>> >> configuration
>> >> > of the local users' home directory, there is no direct answer.
>> >> Therefore,
>> >> > my approach to your question is to give you a very basic setup, which
>> >> would
>> >> > allow users to access files in their home's directory. You can base
>> off
>> >> of
>> >> > this to make it works on your machine.
>> >> > Before you do anything, backup your httpd.conf file.
>> >> > Even better, do this on a test VM.
>> >> >
>> >> > In the file httpd.conf, change these 2 directives to look like this:
>> >> >
>> >> > #UserDir disabled
>> >> >
>> >> > UserDir *public_html*
>> >> >
>> >> > this enables local users to access html files inside the the
>> >> *public_html *
>> >> > directory.
>> >> >
>> >> > Let's say we want UserX to have access to his/her home directory:
>> >> > mkdir /home/UserX*/public_html*
>> >> >
>> >> > Then create an html file in the *public_html *directory,
>> >> >
>> >> > Now comes the fun part, permission and SELinux :).
>> >> > Permission: Make sure UserX is the owner of the *public_html*
>> directory
>> >> > and all files within it (hence, recursively).
>> >> > chown userx:userx *public_html*
>> >> >
>> >> > Directory and files need read and execute permission
>> >> > chmod 755
>> >> >
>> >> > Selinux: public_html and all files within must have one of these
>> >> > context
>> >> > types:
>> >> > httpd_sys_content_t
>> >> > or
>> >> > public_content_rw_t
>> >> >
>> >> > sample command:
>> >> > chcon -R -t httpd_sys_content_t *public_html
>> >> >
>> >> > *then make sure SELinux setting survives reboot, run command:
>> >> > semanage fcontext -a -t httpd_sys_content_t *public_html*
>> >> >
>> >> > verify the directory and do the same to all files inside
>> *public_html*:
>> >> > ll -Z
>> >> >
>> >> > Finally, enable SELinux boolean:
>> >> > setsebool -P httpd_enable_homedirs on
>> >> >
>> >> > Restart Apache without interrupting the users:
>> >> > apachectl graceful
>> >> >
>> >> > Now access UserX' home directory:
>> >> > http://servername_or_ip_address/~userx/
>> >> >
>> >> > This is just a basic configuration to give you a general idea. You
>> will
>> >> > have to customize the settings and permissions according to your
>> >> > server's
>> >> > needs.
>> >> >
>> >> > good luck
>> >> > -Tam
>> >> >
>> >> >
>> >> > On Mon, Apr 9, 2012 at 8:33 PM, Terry Northren <[log in to unmask]>
>> >> wrote:
>> >> >
>> >> >> Hi again,
>> >> >> on Apache server, how do I allow users to access files in their home
>> >> >> folders?
>> >> >>
>> >> >>
>> >> >>
>> >> >
>> >>
>> >
>>
>
|