In this lab we’ll use SELinux to resolve a scenario that is common in the real world. Doing this will help to understand the tools available and where to look when troubleshooting SELinux issues.
*This course is not approved or sponsored by Red Hat.*
Learning Objectives
Successfully complete this lab by achieving the following learning objectives:
- Fix the Selinux Permissions on `/opt/website` so That They’ll Survive a Relabel
- First we’ll check to see what the label needs to be. Websites are normally stored in
/var/www/htmlso we can look there to see what it should be. - We can see that the context should be set to
httpd_sys_content_t. - The command we need to run is:
semanage fcontext -a -t httpd_sys_content_t ‘/opt/website(/.*)?’ - This makes a change in the SELinux database.
- We then need to run
restorecon /opt/websiteto actually make the change on the filesystem. - This will set the directory to the correct context and protect that change from a relabel in the future.
- First we’ll check to see what the label needs to be. Websites are normally stored in
- Deploy the Website as Instructed and Test It
- We’ve been instructed to deploy the website by running
mv /root/index.html /opt/website/. - We can then try a
curl localhost/index.htmlto test our deploy. - If we get a
403 Forbiddenerror, test if SELinux is the problem by runningsetenforce 0and then running curl again. - If the
curlworks with SELinux in permissive mode, we can set it back to enforcing withsetenforce 1and then investigate why.
- We’ve been instructed to deploy the website by running
- Resolve the Error When Trying to Access `/opt/website/index.html`
ls -lZ /opt/websitewill show thatindex.htmlhas a content type of admin_home_t which isn’t what we need when serving webpages.- We can run
restorecon /opt/website/index.htmlto fix this error and the curl will work.
